linux, säkerhet

6736868 2001-07-11 22:03 -0400  /119 rader/ qDefense Advisories <advisories@qdefense.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-12  09:21  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17933>
Ärende: Multiple CGI Flat File Database Manipulation Vulnerability -
------------------------------------------------------------
 qDefense Advisory Number QDAV-2001-7-1
From: qDefense Advisories <advisories@qdefense.com>
To: bugtraq@securityfocus.com
Message-ID: <4.3.2.7.2.20010711215403.00afd9b0@compumodel.com>


Multiple CGI Flat File Database Manipulation Vulnerability
qDefense Advisory Number QDAV-2001-7-1

Product: Numerous CGI's

Vendor: Numerous Vendors

Severity: Remote; Severity varies, but can often be used to attain
CGI  administrator status, which can result in read/write/execute
privileges.

Cause: Failure to validate input

In Short: Numerous CGI's store data, including passwords, in a flat
file  database, using special characters as field and row
delimiters. An attacker  may be able to manipulate these
databases. While many types of CGI's may be  vulnerable, CGI's which
allow multiple users to log on, and grant certain  users privileged
or administrator status, are most likely to be exploitable.


The current version of this document is available at 
http://qDefense.com/Advisories/QDAV-2001-7-1.html.

Details: Many CGI's store data in a flat file database.

Note: A flat file database is a standard text file used to store
database  style (i.e., fields and rows) information. Fields are
delimited by a  special character, such as a pipe symbol ( | ) or a
colon ( : ). Rows are  usually delimited by a newline. A common
example is the Unix /etc/passwd file.

Unfortunately, data stored in this format is often susceptible to
manipulation by an attacker. When the database is used to store both
user  supplied data (such as e-mail address), as well as system data
(such as  user privileges), an attacker may be able to manipulate the
system data. By  inserting a row or field delimiting character into
the user supplied data,  the attacker can fool the database into
thinking that the user supplied  data is actually the system data of
a different row or field.

This is best illustrated by an example:

A particular CGI allows multiple users to log on to a web site. It
allows  anyone to log on, but provides additional privileges to
paying customers.  Furthermore, the webmaster may log on to modify
the CGI settings. The CGI  stores the user data in a flat file
database, using the pipe symbol ( | )  as a field delimiter, and a
newline as a row delimiter. The database stores  the following
fields: password, logon name, privilege level, first name,  last
name, and e-mail address. Here is a sample file:

qua53sar2|bill|admin|William|Smith|webmaster@letstalksports.com
moopus|joe|normal|Joe|Smith|joe@mailboxesrus.com
nopla|iceman|paying|Alfred|Lehoya|js124@abracadabra.com
sillypassword|hank|normal|Harold|Jenkins|hjenkins@aricdorsresearch.org


By registering with a last name containing url-encoded newlines and
pipes,  an attacker can imbed a second line into his last name, which
will be  recorded as an entirely new line in the password file,
containing whatever  information the attacker wants. For instance, an
attacker may register as  follows:


Username = dummyuser Password = gotya Firstname = John Lastname =
Doe\nlivetohack|evilhacker|admin|Evil|Hacker Email =
evil@hackerstogo.com Note: The "\n" symbol indicates the newline
character, ASCII value 10.  When url encoded and submitted properly,
this will add two lines to the  database. The example database will
now look like this:



qua53sar2|bill|admin|William|Smith|webmaster@letstalksports.com
moopus|joe|normal|Joe|Smith|joe@mailboxesrus.com
nopla|iceman|paying|Alfred|Lehoya|js124@abracadabra.com|on
sillypassword|hank|normal|Harold|Jenkins|hjenkins@aricdorsresearch.org
gotya|dummyuser|normal|John|Doe
livetohack|evilhacker|admin|Evil|Hacker|evil@hackerstogo.com

As you can see, an entry, evilhacker, has been added with full admin
status.

Solution:

Ideally, SQL databases should be used instead of flat file
databases. If  this is not viable, CGI developers should ensure that
their CGI's remove  delimiter characters from user supplied data. A
redundancy of checking for  delimiters before writing to the database
is also advisable.

Note:

qDefense originally discovered this vulnerability class when auditing
D.C.  Forum, and issued an advisory, DCForum Password File
Manipulation  Vulnerability (qDefense Advisory Number
QDAV-5-2000-2). However, further  research has shown that this class
of vulnerability is prevalent among  CGI's, particularly those which
allow users to log on using passwords. As  this form of attack
represents a new method which has not (to qDefense's  knowledge) been
publicized as of yet, qDefense has decided to issue a  general
advisory, instead of issuing specific advisories for all of the
CGI's that we have found vulnerable.

(C) 2001 qDefense Information Security Consultants. qDefense is a
subsidiary of Computer Modeling, Inc.  This document may be
reproduced, in whole or in part, provided that no  modifications are
made and that proper credit is given. Additionally, if it  is made
available through hypertext, it must be accompanied by a link to  the
qDefense web site, http://qDefense.com.  qDefense Advisories
advisories@qDefense.com qDefense - DEFENDING THE ELECTRONIC FRONTIER

qDefense offers a wide variety of security services
See http://qDefense.com/Services
(6736868) /qDefense Advisories <advisories@qdefense.com>/(Ombruten)