A complete revision history is at the end of this file.
The text of this advisory was originally released on March 14, 1996, as AUSCERT Advisory AA-96.01, developed by the Australian Computer Emergency Response Team. Because of the seriousness of the problem, we are reprinting the AUSCERT advisory here with their permission. Only the contact information at the end has changed: AUSCERT contact information has been replaced with CERT/CC contact information.
We will update this advisory as we receive additional information. Please check advisory files regularly for updates that relate to your site.
Note: The vulnerability described in this advisory is being actively exploited.
The CGI program "phf", included with those distributions, is an example of such a vulnerable program. This program may have been installed as part of the installation process for the httpd.
AUSCERT recommends that sites that have installed any CGI program incorporating the vulnerable code (such as "phf") apply one of the workarounds as described in Section 3.
Any program which relies on escape_shell_cmd() to prevent exploitation of shell-based library calls may be vulnerable to attack.
In particular, this includes the "phf" program which is also distributed with the example code. Some sites may have installed phf by default, even though it is not required to run httpd successfully.
Any vulnerable program which is installed as a CGI application may allow unauthorised activity on the HTTP server.
Please note that this vulnerability is not in httpd itself, but in CGI programs which rely on the supplied escape_shell_cmd() function. Any HTTP server (not limited to NCSA or Apache) which has installed CGI programs which rely on escape_shell_cmd() may be vulnerable to attack.
Sites which have the source code to their CGI applications available can determine whether their applications may be vulnerable by examining the source for usage of the escape_shell_cmd() function which is defined in cgi-src/util.c.
Sites which do not have the source code for their CGI applications should contact the distributors of the applications for more information.
It is important to note that attacks similar to this may succeed against any CGI program which has not been written with due consideration for security. Sites using HTTP servers, and in particular CGI applications, are encouraged to develop an understanding of the security issues involved. References in Section 4 provide some initial pointers in this area.
Sites planning to install or write their own CGI programs are encouraged to read the references in Section 4 first.
In particular, sites which have installed the "phf" program and do not require it should disable it. The "phf" program is not required to run httpd successfully. Sites requiring "phf" functionality should apply one of the workarounds given in sections 3.2 and 3.3.
AUSCERT recommends that sites which are currently using CGI programs which use shell-based library calls (such as system() and popen()) consider rewriting these programs to remove direct calls to easily compromised library functions.
Sites should note that this is only one aspect of secure programming practice. More details on this approach and other guidelines for secure CGI programming may be found in the references in Section 4.
http://hoohoo.ncsa.uiuc.edu/beta-1.5
Please note that this is a beta-release of the NCSA httpd and is not a stable version of the httpd. The patched version of cgi-src/util.c may be used independently.
CGI programs which are required and use the escape_shell_cmd() should be recompiled with the new version of cgi-src/util.c and then reinstalled.
Apache have reported that they intend to fix this vulnerability in a future release. Until then the patched version of util.c as supplied in the http1.5.1b3-export release should be compatible.
It is also important to ensure that all child processes of httpd are running as a non-privileged user. This is often a configurable option. See the documentation for your httpd distribution for more details.
Numerous resources relating to WWW security are available. The following pages provide a useful starting point. They include links describing general WWW security, secure httpd setup and secure CGI programming.
NSCA's "Security Concerns on the Web" Page:
http://hoohoo.ncsa.uiuc.edu/security/
The AUSCERT team have made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AUSCERT takes no responsibility for the consequences of applying the contents of this document.
Similar attacks may succeed against other cgi scripts if the scripts are written without appropriate care regarding security issues. We encourage sites to evaluate all programs in their cgi-bin directory and remove any scripts that are not in active use.
We would like to point out that along with "phf" we have received reports that "php" programs are also being exploited.
CERT/CC received the following update from NASIRC concerning the vulnerability described in this advisory:
The routine "escape_shell_cmd()" also occurs in the file "src/util.c". Note that the files "cgi-src/util.c" and "src/util.c" are not identical, however they both contain an identical copy of the routine "escape_shell_cmd()", which has the vulnerability. The file "src/util.c" is used to build the HTTP daemon, therefore the "newline" hole exists within the server.
The patch recommended by NCSA modifies the routine
"escape_shell_cmd()" to expand the list of characters that it will escape. In the routine "escape_shell_cmd()", the line:
Must be changed to:
ftp://ftp.ncsa.uiuc.edu/Web/httpd/Unix/ncsa_httpd/current/httpd_1.5.1-export_source.tar.Z
MD5 (httpd_1.5.1-export_source.tar.Z) = bcf1fd410b5839c51dc75816a155fbb8
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
CERT publications and other security information are available from our web site
To subscribe to the CERT mailing list for advisories and bulletins, send email to
majordomo@cert.org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
NO WARRANTY
Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of any
kind with respect to freedom from patent, trademark, or copyright
infringement.
Copyright 1996, 1997 Carnegie Mellon University.
Sep. 24, 1997 Updated copyright statement June 4, 1997 Updates section - added information about other cgi programs being exploited. Aug. 30, 1996 Information previously in the README was inserted into the advisory. Apr. 17, 1996 Updates section - added new information provided by the NASA Automated Systems Incident Response Capability (NASIRC).