hacking a webserver

Question

Hi I have been tasked with trying to break a proprietary web server program which my company uses, I'm not really having much luck. It is built in c.

It runs as root and I am trying to get it to execute commands. The webserver takes commands posted in the URL and executes these commands with a prefix. Now I can pass any command such as '&_cmd=gettimeout' or '&_cmd=rm'. The program will actually run "prefix rm"

The prefix program will try to run that command in a set of directories, of which no useful unix commands are, therefore will just report back command not found. It is also not possible to pass spaces in the URL such as '&_cmd=rm%20-f' as the php script converts spaces to +. Is there anyway of formatting the &_cmd string to run real unix commands?

Bit of a strange task but I am a placement student doing a security course and my work are attempting to find some work for me regarding my course.

Thanks for your help

Answer 1

Some ideas, might work, might not:

1. Backquotes. With luck, they'll be evaluated before prefix runs. Without luck, they might still serve you somehow.
2. If spaces don't work, why won't you try other kinds of whitespace? There's the tab, and more.
3. You need to find which commands exactly can be used, and figure out if they help.
4. You might find a buffer overrun in one of the allowed commands. Normally, such overruns are not a security risk (if you take over vi, you can't do anything you couldn't do anyway). But in this context, you may be able to exploit them.
5. You may find executables in /proc/, if you can get there - it contains a link to each processes's command.