Hello, I found weakness in sdbsearch.cgi script which is a part of Suse distribution. This is perl script and since Suse 7.1 they have introduced some form of protection (interpreter is called with tainting checking). However, I think it isn't enough and this bug still may produce danger. Sdbsearch.cgi trusts content of HTTP_REFERER variable which is set by client side during http's requests. Piece of this data is used to locating file with keywords and referenced files. If there is possiblity to put such file on attacked host (i.e. upload through ftpd) with special content, sdbsearch will use open() to get access to match files. So we can make standard open() pipe based attack (only without -T option). Name of uploaded file has to be "keylist.txt" because we manipulate only on pathname, using double dots. Proof of concept is very simple, just create harmful keylist.txt for instance in /tmp directory and send request to http server like this: GET /cgi-bin/sdbsearch.cgi?stichwort=keyword HTTP/1.0 Referer: http://szachy.org/../../../../../tmp (very deep traversal because we don't know what is DOCUMENT_ROOT) and an example content of our /tmp/keylist.txt create like this: $ echo -e "keyword\0touch exploitable|" > /tmp/keylist.txt After successful attempt there will be "exploitable" file in /tmp directory. Affected system: Suse 6.x 7.x (7.1 and 7.2 have tainting protection, but even then we can pass sdbsearch files which shouldn't be read) Patch: Just filter HTTP_REFERER variable. - z33d -- je Art_of_self_destruct pushl %eax pushl %eax pushl %ebx pushl %ebx popl %ecx ----== http://z33d.eth-security.net ==---- pushl %eax pushl %eax pushl %ebx pushl %ebx Art_of_self_destruct: hlt
