This is not a security problem. This is a case of using an automated tool to find these vulnerabilites and not attempting to understand the code itself. Nowhere in the code is MSG_Error_General() passed anything other than a static compiled-into-the-executable string. It's purely a utility function to wrap common error text/footer/etc. around a generic string. -- Nathan ------------------------------------------------------------ Nathan Neulinger EMail: nneul@umr.edu University of Missouri - Rolla Phone: (573) 341-4841 Computing Services Fax: (573) 341-4216 > -----Original Message----- > From: security-bounces+nneul=umr.edu@lists.umr.edu > [mailto:security-bounces+nneul=umr.edu@lists.umr.edu] On > Behalf Of b0f www.b0f.net > Sent: Wednesday, April 23, 2003 11:06 AM > To: bugtraq@securityfocus.com > Subject: Format strings vuln in CGIwrap > > > > > A locally and possibly remotely exploitable format > strings bug exists > in cgiwrap available from > http://cgiwrap.sourceforge.net/ > http://sourceforge.net/projects/cgiwrap > http://www.freebsd.org/ports/security.html > > I. BACKGROUND > > This is CGIWrap - a gateway that allows more secure > user access to > CGI programs on an HTTPd server than is provided by the > http server > itself. The primary function of CGIWrap is to make > certain that > any CGI script runs with the permissions of the user > who installed > it, and not those of the server. > > CGIWrap works with NCSA httpd, Apache, CERN httpd, > NetSite Commerce > and Communications servers, and probably any other Unix > based web > server software that supports CGI. > > II. DESCRIPTION > > On line 91 of msgs.c the printf() function is used > incorrectly. Which > results > in a format strings vulnerability. > <snip> > void MSG_Error_General(char *message) > { > MSG_Header("CGIWrap Error", message); > printf(message); > MSG_Footer(); > exit(1); > } > </snip> > > The binaries in cgiwrap, (cgiwrap and nph-cgiwrap) are > installed setuid > root. > Thus could make this format problem exploitable locally > to gain root > privs or > possably remotely to gain root or the privs of the user > who owns the cgi > script. > > III. ANALYSIS > An attacker could exploit this issue to escalate privs > locally or > remotely on > a server running cgiwrap. > > IV. DETECTION > > This is vulnerable in the latest version of cgiwrap > version 3.7.1 and > properly > older versions(not checked). It would be exploitable on > any Linux/Unix > based OS > running cgiwrap > > V. VENDOR > The vendor has not been contacted about this issue. > > Regards > b0f (Alan M) > www.b0f.net > _______________________________________________ > UMR Security List Exploder > security@lists.umr.edu > https://lists.umr.edu/mailman/listinfo/security >
