Introduction:

One simple way to create a server-side dynamic web page which displays different content each time it is viewed is the Common Gateway Interface (CGI). This post will help you understand what a CGI is, how it works and how the CGI-enabled web server is vulnerable to various attacks.

What is a CGI?

Common Gateway Interface, commonly known as CGI, is a specification defined by W3C which helps a web server to render dynamic web pages i.e. creating a customized response based on the request received from the client (user). To generate a response for the request received, a CGI program calls other applications on the server to create a user-specific response. On finishing the required operations, the CGI program returns the output to the web server which then sends a response back to the client (user).

The primary objective of CGI programs is to access other running applications on the server. For example, an interactive web server can use CGI to search for documents, to run authorized commands on the server or to store the information in the server. The CGI program is intelligent enough to detect and provide user-specific information by verifying the authenticity of a user. Most likely, Dropbox uses CGI to provide the user-specific data. However, one could misuse the implementation of CGI scripts to perform unauthorized actions. Most of the web servers will have a directory ‘cgi-bin’ which contains CGI scripts to call other applications on the server. Exploiting these scripts leaves us vulnerable, giving access to the attackers.

Known vulnerabilities of CGI

CVE-1999-0174 –The view-source CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack.

CVE-1999-0237 –Remote execution of arbitrary commands through Guestbook CGI program.

CVE-1999-0260 –The jj CGI program allows command execution via shell metacharacters.

PHF Attack:

The purpose of PHF script, which is installed in ‘cgi-bin’ directory by default, is to provide an example of “Phone Book” functionality on the Web. Misusing the implementation of PHF script allows the attacker to perform unauthorized actions. Internally, this script uses a function ‘escape_shell_cmd()’ which failed to escape special characters like newline (\n or 0x0a). This allows any skilled attacker to construct a URL appending ‘%0a’ to retrieve sensitive information like passwords as shown below

By observing the query string of the URL, the attacker has added a new line code (%0a) and has issued a simple viewing of /etc/passwd via the cat command. The %20 represents an ASCII value for a blank line.

Besides the PHF attack, an attacker took leverage over another script called ‘test-cgi’ which is installed by default in ‘cgi-bin’ to the environment variables while processing the server requests. Again, lack of input validation ‘test-cgi’ left the web server vulnerable allowing an attacker to gain sensitive information with simple malformed URL as shown below

payload: http://www.target-website.com/cgi-bin/test-cgi?Qalias=x%0a/bin/cat%20/etc/passwd

There are few other widely exploited CGI scripts: php.cgi, handler, webgais, websendmail, webdist.cgi

count.cgi – The script is used to count the number of hits for the web pages.

viewsrc.cgi – The script is used to view the source code

payload: http://www.target-website.com/cgi-bin/viewsrc.cgi?loc=../anyfile

Also, using CGI in a web server may leads to denial-of-service. As CGI creates a new process on every request which is again a significant consumption of resource. This may lead to denial-of-service when there are too many requests being processed.

Protection against CGI vulnerabilities

  • Allowing an attacker to run a CGI script arbitrarily in the file system leaves the web server vulnerable. To prevent these vulnerabilities follow the below tips to secure your web server.
  • Use Intrusion Prevention System and Intrusion Detection System. This is really best way to prevent unauthorized access. Two most widely used tools are ‘CGI-IDS’ and ‘ModSecurity’
  • Secure coding practices is most important when it comes to CGI. Poorly written code will let the server vulnerable. Do not let users to manipulate with input through these functions ‘eval()’, ‘popen()’, ‘system()’. Though server side include (SSI) have their own benefits, do not implement it without applying proper authorization.
  • Apache provides the ScriptAlias directive in the ‘httpd.conf’ configuration file, with the syntax ScriptAlias aliasname “/path/to/cgi/directory
  • Don’t use any method for spawning a program that uses any sort of shell to run the program. Stick exclusively to execv.
  • There is another variant of CGI called ‘Fast-CGI’ which results in better performance and security.
  • One can write a custom script to detect CGI attacks via HTTP requests. System Administrator can rule out the IP addresses which seems suspicious
  • Test your CGI-enabled web server with ‘Whisker CGI Scanner’ or Nikto which are good to have tools with many impressive features

Other references: https://tools.ietf.org/html/rfc3050

Credit: ACE Team – Loginsoft