A locally and possibly remotely exploitable format strings bug exists in cgiwrap available from http://cgiwrap.sourceforge.net/ http://sourceforge.net/projects/cgiwrap http://www.freebsd.org/ports/security.html I. BACKGROUND This is CGIWrap - a gateway that allows more secure user access to CGI programs on an HTTPd server than is provided by the http server itself. The primary function of CGIWrap is to make certain that any CGI script runs with the permissions of the user who installed it, and not those of the server. CGIWrap works with NCSA httpd, Apache, CERN httpd, NetSite Commerce and Communications servers, and probably any other Unix based web server software that supports CGI. II. DESCRIPTION On line 91 of msgs.c the printf() function is used incorrectly. Which results in a format strings vulnerability. <snip> void MSG_Error_General(char *message) { MSG_Header("CGIWrap Error", message); printf(message); MSG_Footer(); exit(1); } </snip> The binaries in cgiwrap, (cgiwrap and nph-cgiwrap) are installed setuid root. Thus could make this format problem exploitable locally to gain root privs or possably remotely to gain root or the privs of the user who owns the cgi script. III. ANALYSIS An attacker could exploit this issue to escalate privs locally or remotely on a server running cgiwrap. IV. DETECTION This is vulnerable in the latest version of cgiwrap version 3.7.1 and properly older versions(not checked). It would be exploitable on any Linux/Unix based OS running cgiwrap V. VENDOR The vendor has not been contacted about this issue. Regards b0f (Alan M) www.b0f.net
