首页 -> 安全研究
安全研究
安全漏洞
Steve Grimm Un-CGI 执行任意脚本错误
发布日期:2001-07-17
更新日期:2001-07-25
受影响系统:
描述:
Steve Grimm Un-CGI 1.9
Steve Grimm Un-CGI 1.8
Steve Grimm Un-CGI 1.7
Steve Grimm Un-CGI 1.6.2
Steve Grimm Un-CGI 1.6.1
Steve Grimm Un-CGI 1.6
Steve Grimm Un-CGI 1.5
Steve Grimm Un-CGI 1.4
Steve Grimm Un-CGI 1.3
Steve Grimm Un-CGI 1.2
Steve Grimm Un-CGI 1.1
Steve Grimm Un-CGI 1.0
BUGTRAQ ID: 3057
CVE(CAN) ID: CAN-2001-1241
Un-CGI是种免费CGI封装应用程序。其主要用于解析URL输入并提交给CGI应用程序,
可以库方式使用,也可以单独执行。当Un-CGI执行脚本时没有检查相应可执行位是否
设置,结合向服务器写文件的能力,可以执行任意命令。
<* 来源:Khamba Staring (purrcat@edoropolis.org) *>
建议:
临时解决方法:
下面这个补丁是Khamba Staring (purrcat@edoropolis.org)提供的
临时解决方案
--------------------------------------------------------------------------
--- uncgi.c.old Thu Jul 12 12:42:09 2001
+++ uncgi.c Thu Jul 12 13:24:35 2001
@@ -60,6 +60,14 @@
char *id = "@(#)uncgi.c 1.33 11/24/97";
+
+void four_oh_three()
+{
+ printf("Content-Type: text/htm\n\n");
+ printf("You have no permission!\n");
+ exit(1);
+}
+
/*
* Convert two hex digits to a value.
*/
@@ -373,6 +381,18 @@
char *shell, *script;
{
char *argvec[4], **ppArg = argvec, *pz;
+ struct stat f_stat;
+
+ if(stat(script, &f_stat) == -1)
+ html_perror("stat (something like this; dunno what html_perror does
exactly)");
+
+/*
+** this should probably be expanded a bit; maybe check for S_IXUSR, S_IXGRP
+** and S_IXOTH or the likes. Maybe add extra checks for suid or let the
+** shell figure that out?
+*/
+ if(!(f_stat.st_mode & S_IXUSR))
+ html_perror("not executable");
/*
* "shell" really points to the character following the "#!",
@@ -542,6 +562,21 @@
#endif
}
+int check_path(char *evilpath)
+{
+#define RP_PATHLEN 1024
+ char resolved_path[RP_PATHLEN];
+
+ if(!realpath(evilpath, resolved_path))
+ return(0); /* evil path cannot be read; this can't be good! */
+
+ if(strncmp(SCRIPT_BIN, resolved_path, strlen(SCRIPT_BIN) - 1) == 0)
+ return(1); /* yay! */
+ else
+ return(0); /* boo! */
+}
+
+
#ifndef LIBRARY /* { */
main(argc, argv)
int argc;
@@ -600,6 +635,11 @@
strcpy(program, SCRIPT_BIN);
strncat(program + sizeof(SCRIPT_BIN) - 1, pathinfo, proglen);
+#ifndef VOID_SECURITY
+ if(!check_path(program))
+ four_oh_three();
+#endif
+
#ifdef DEBUG
printf("Program path is '%s'\n", program);
fflush(stdout);
@@ -700,6 +740,9 @@
*/
argvec[0] = program;
argvec[1] = NULL;
+/*
+** shouldn't we check for suid stuff here?!
+*/
execv(program, argvec);
#ifdef __MSDOS__ /* { */
厂商补丁:
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商
的主页以获取最新版本:
http://www.midwinter.com/~koreth/uncgi.html
浏览次数:3738
严重程度:0(网友投票)
绿盟科技给您安全的保障