Un-CGI存在多个漏洞发布时间:2001-07-21 更新时间:2001-07-21 严重程度:中 威胁程度:普通用户访问权限 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 Un-CGI version 1.9详细描述 Un-CGI(http://www.midwinter.com/~koreth/uncgi.html)是前端从UNIX系统 上的WEB中处理请求和表单的,其中存在漏洞可以导致远程用户执行任意代码。 UN-CGI是一个免费CGI WRAPPER程序,可以解析URL编码输入并解释执行,它 可以按照库或者单独方式执行。问题存在于UN-CGI执行上,当UN-CGI执行脚本 时,它没有很好的检查提交请求的程序中是否有执行位。这样就可能存在 执行任意代码的可能。 测试代码 尚无 解决方案 Patch: --- uncgi.c.old Thu Jul 12 12:42:09 2001 +++ uncgi.c Thu Jul 12 13:24:35 2001 @@ -60,6 +60,14 @@ char *id = "@(#)uncgi.c 1.33 11/24/97"; + +void four_oh_three() +{ + printf("Content-Type: text/htm\n\n"); + printf("You have no permission!\n"); + exit(1); +} + /* * Convert two hex digits to a value. */ @@ -373,6 +381,18 @@ char *shell, *script; { char *argvec[4], **ppArg = argvec, *pz; + struct stat f_stat; + + if(stat(script, &f_stat) == -1) + html_perror("stat (something like this; dunno what html_perror does exactly)"); + +/* +** this should probably be expanded a bit; maybe check for S_IXUSR, S_IXGRP +** and S_IXOTH or the likes. Maybe add extra checks for suid or let the +** shell figure that out? +*/ + if(!(f_stat.st_mode & S_IXUSR)) + html_perror("not executable"); /* * "shell" really points to the character following the "#!", @@ -542,6 +562,21 @@ #endif } +int check_path(char *evilpath) +{ +#define RP_PATHLEN 1024 + char resolved_path[RP_PATHLEN]; + + if(!realpath(evilpath, resolved_path)) + return(0); /* evil path cannot be read; this can't be good! */ + + if(strncmp(SCRIPT_BIN, resolved_path, strlen(SCRIPT_BIN) - 1) == 0) + return(1); /* yay! */ + else + return(0); /* boo! */ +} + + #ifndef LIBRARY /* { */ main(argc, argv) int argc; @@ -600,6 +635,11 @@ strcpy(program, SCRIPT_BIN); strncat(program + sizeof(SCRIPT_BIN) - 1, pathinfo, proglen); +#ifndef VOID_SECURITY + if(!check_path(program)) + four_oh_three(); +#endif + #ifdef DEBUG printf("Program path is '%s'\n", program); fflush(stdout); @@ -700,6 +740,9 @@ */ argvec[0] = program; argvec[1] = NULL; +/* +** shouldn't we check for suid stuff here?! +*/ execv(program, argvec); #ifdef __MSDOS__ /* { */ 相关信息 purrcat at edoropolis.org |
