邪恶八进制信息安全团队技术讨论组's Archiver

EvilOctal 2005-1-19 09:28

[转载]AWStats Remote Command Execution Vulnerability

信息来源:[url]www.securiteam.com[/url]

Summary
AWStats is "a free tool that generates advanced web, ftp or mail server statistics, graphically". Remote exploitation of an input validation vulnerability in AWStats allows attackers to execute arbitrary commands under the privileges of the web server.

Credit:
The information has been provided by iDEFENSE. The exploit has been provided by Noam Rathaus of Beyond Security Ltd.
The original article can be found at: [url]http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities[/url]

Details
Vulnerable Systems:
* AWStats version 6.1 and prior

Immune Systems:
* AWStats version 6.3 or newer

The problem specifically exists when the application is running as a CGI script on a web server. The "configdir" parameter contains
unfiltered user-supplied data that is utilized in a call to the Perl routine open() as can be seen here on line 1082 of awstats.pl:
if (open(CONFIG,"$searchdir$PROG.$SiteConfig.conf"))

The "searchdir" variables hold the value of the parameter provided by the attacker from "configdir." An attacker can cause arbitrary commands to be executed by prefixing them with the "|" character.

Analysis:
Successful exploitation allows remote attackers to execute arbitrary commands under the privileges of the web server. This can lead to further compromise as it provides remote attackers with local access.

Workaround:
Add a filter around the "configdir" parameter by replacing the following line:

if ($QueryString =~ /configdir=([^&]+)/i)
{
$DirConfig=&DecodeEncodedString("$1");
}

With:

if ($QueryString =~ /configdir=([^&]+)/i)
{
$DirConfig=&DecodeEncodedString("$1");
$DirConfig=~tr/a-z0-9_\-\/\./a-z0-9_\-\/\./cd;
}

Vendor response:
This vulnerability is addressed in AWStats 6.3, available for download at: [url]http://awstats.sourceforge.net/#DOWNLOAD[/url]

Exploit:
The following URL will create a file named 'id' in the tmp directory of the remote server with the content of the command /usr/bin/id:
[url]http://vulnerable/cgi-bin/awstats.pl?configdir=/usr/bin/id%20%3E%20/tmp/id%20[/url]|%20

Disclosure timeline:
10/21/2004 - Initial vendor notification
01/02/2005 - Initial vendor response
01/17/2005 - Public disclosure

页: [1]
© 1999-2008 EvilOctal Security Team