PHF Attacks - Fun and games for the whole family

[pauld () lemur org (Paul Danckaert)]

Greetings,

 Recently I have seen quite an upswing in attacks against web servers,
with people trying exploit various CGI binaries, including Phf.  Phf has a
known vulnerability that is being widely exploited in how it handles
certain escaped arguments.

 To let me know of attacks on sites via this vulnerability, I installed
the following script on our web servers. I don't run phf on our systems,
so there is no problem of interrupting normal activity.  The script simply
looks like the original PHF program, however it mails the security person
whenever connections or probes are received.

 The idea of luring attacks and presenting false information in an
interesting one, as an attacker needs to find a vulnerability to exploit
to get into the system. If vulnerabilities are presented that are not
legitimate, it is more difficult for an attacker to decide what is
legitimate, and what is just bait. If people wish to attack a system, they
take the risk that they are either falling into a trap, or actually
getting into the system.  Its interesting to blur the two.  Along with
scripts like below, people can play games with modified sendmail version
lines, or even presenting false login screens with the tcp wrapper twist.

 In any case, the script below was just thrown together as an example.  On
some sites, I run one similar to it, and it works very well as an early
warning against attacks.  Before running it, I would certainly look it
over to decide if its safe for your system.  If you see problems, please
let me know.


Paul Danckaert
pauld () lemur org


   ----------------------------------------------------------------------

#!/usr/bin/perl
#
# Pseudo-Phf  -  A not-quite-real phf replacement that provides a warning
#                       against attacks, as well as presenting false
#                       information to the attacker.
#
# Paul Danckaert (pauld () lemur org)
#

$email    = "security () lemur org";
$sendmail = "/usr/lib/sendmail";

###

print "Content-type: text/html\n\n";

if ($ENV{"QUERY_STRING"} eq "") {
        do ShowForm();
        $action = "Looked At Form";
} else {
        if ($ENV{"QUERY_STRING"} =~ /(\/|%2f)passwd/i) {
                do ShowBadPass();
                $action = "Attempted Password Grab";
        } else {
                $action = "Submitted Form";
        }
}
$notice = "[/CGI-BIN/PHF] $action";

open(MAIL,"| $sendmail $email");
print MAIL "From: PHF Watcher <$email>\n";
print MAIL "To: $email\n";
print MAIL "Subject: $notice\n\n";
print MAIL "[AutoMessage from PHF]\n\n";
print MAIL "ENV List\n------------------------------------------\n";
foreach $var (keys %ENV) {
        $ENV{$var} =~ s/\n//g;
        print MAIL "$var \t $ENV{$var}\n";
}
print MAIL ".\n\n";
close (MAIL);

#
# Print Error Message to the users request.
#
print <<"EOF";
<H1>Query Results</H1>


/usr/local/bin/ph - Command not found
<PRE>
</PRE>
EOF

exit 0;


sub ShowForm {

print <<"EOF";
<TITLE>Form for CSO PH query</TITLE>
<H1>Form for CSO PH query</H1>
This form will send a PH query to the specified ph server.


<HR>
<FORM ACTION="/cgi-bin/phf">
PH Server:<INPUT TYPE="text" NAME="Jserver" VALUE="ns.uiuc.edu" MAXLENGTH="256">


<H3>At least one of these fields must be specified:</H3><UL>
<LI><INPUT TYPE="text" NAME="Qalias" MAXLENGTH="32">Alias
<LI><INPUT TYPE="text" NAME="Qname" MAXLENGTH="256">Name
<LI><INPUT TYPE="text" NAME="Qemail" MAXLENGTH="128">E-mail Address
<LI><INPUT TYPE="text" NAME="Qnickname" MAXLENGTH="120">Nickname
<LI><INPUT TYPE="text" NAME="Qoffice_phone" MAXLENGTH="60">Office Phone Number
<LI><INPUT TYPE="text" NAME="Qcallsign" MAXLENGTH="16">HAM Callsign
<LI><INPUT TYPE="text" NAME="Qproxy" MAXLENGTH="64">Proxy
<LI><INPUT TYPE="text" NAME="Qhigh_school" MAXLENGTH="30">High School
<LI><INPUT TYPE="text" NAME="Qslip" MAXLENGTH="256">SLIP Address
</UL>
<A HREF="/cgi-bin/phf?Jform=16"><H3>Show additional fields to narrow query</H3></A>


<A HREF="/cgi-bin/phf?Jform=1"><H3>Return more than default fields</H3></A>


<INPUT TYPE="submit">
</FORM>
<HR>
<ADDRESS>Questions, comments to: <a href="http://www.ncsa.uiuc.edu/SDG/People/jbrowne/jbrowne.html";>Jim Browne</a>
</ADDRESS>
EOF

}


sub ShowBadPass {

print <<"EOF";
root:9IDv/CqdFuqWo:0:0:Super User:/:/bin/csh
sysadm:*:0:0:System V Administration:/usr/admin:/bin/sh
diag:*:0:996:Hardware Diagnostics:/usr/diags:/bin/csh
daemon:*:1:1:daemons:/:/dev/null
bin:*:2:2:System Tools Owner:/bin:/dev/null
uucp:*:3:5:UUCP Owner:/usr/lib/uucp:/bin/csh
fax:*:3:10:Fax:/var/spool/fax:/bin/sh
sys:*:4:0:System Activity Owner:/var/adm:/bin/sh
adm:*:5:3:Accounting Files Owner:/var/adm:/bin/sh
lp::9:9:Print Spooler Owner:/var/spool/lp:/bin/sh
nuucp::10:10:Remote UUCP User:/var/spool/uucppublic:/usr/lib/uucp/uucico
auditor:*:11:0:Audit Activity Owner:/auditor:/bin/sh
dbadmin:*:12:0:Security Database Owner:/dbadmin:/bin/sh
rfindd:*:66:1:Rfind Daemon and Fsdump:/var/rfindd:/bin/sh
EZsetup:*:992:998:System Setup:/usr/Cadmin:/bin/csh
demos::993:997:Demonstration User:/usr/demos:/bin/csh
tutor::994:997:Tutorial User:/usr/tutor:/bin/csh
OutOfBox::995:997:Out of Box Experience:/usr/people/tour:/bin/csh
guest::998:998:Guest Account:/usr/adm/guest:/bin/csh
4Dgifts::999:998:4Dgifts Account:/usr/people/4Dgifts:/bin/csh
nobody:*:60001:60001:Nobody:/dev/null:/dev/null
noaccess:*:60002:60002:uid no access:/dev/null:/dev/null
nobody:*:-2:-2:original nobody uid:/dev/null:/dev/null
www:*:20:10:The Web Slinger:/web/www:/bin/csh
webadmin:ecKu77KmsNALs:0:0:Sysadmin web account:/:/bin/sh
testact::1000:10:Test Account:/:/bin/sh
ftp:*:60001:60001:FTP ACCOUNT:/ftp:/dev/null
EOF

}