CoreHTTP <= 0.5.3.1 Remote Command Execution
CoreHTTP server fails to properly sanitize input before calling popen() and allows an attacker using a standard web browser to execute arbitrary commands.
NOTE: depending on the script and directory permissions, the attacker may not be able to view output.
During code review / debugging of CoreHTTP, a look at http.c source file revealed:
In the above code, only " and \ are escaped, allowing one to specify |`& and any other special formatting.
The URL then gets broken into two parts:
- url (which in this case is a script)
- args (which contains our 'evil' buffer)
There is a caveat, however:
In this, we can see that DIRLIST overwrites the value of url and url overwrites the value of args - so for simple directory listing this vulnerability becomes a bit more difficult to exploit (depending on directory name, the system could still be vulnerable).
Finally, here's the call to popen:
And there you have it. Simply download coreHTTP for yourself, build, enable CGI, touch foo.pl and then send it a request for /foo.pl%60command%26%60 which will set url to /foo.pl and args to `command&` and call popen. Voila!