‘AWStats Remote Command Execution Vulnerability (configdir)’

Summary

AWStats is ‘a free tool that generates advanced web, ftp or mail server statistics, graphically’. Remote exploitation of an input validation vulnerability in AWStats allows attackers to execute arbitrary commands under the privileges of the web server.’

Credit:

‘The information has been provided by iDEFENSE. The exploit has been provided by Noam Rathaus of Beyond Security Ltd.
The original article can be found at: http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities


Details

Vulnerable Systems:
 * AWStats version 6.1 and prior

Immune Systems:
 * AWStats version 6.3 or newer

The problem specifically exists when the application is running as a CGI script on a web server. The ‘configdir’ parameter contains
unfiltered user-supplied data that is utilized in a call to the Perl routine open() as can be seen here on line 1082 of awstats.pl:
    if (open(CONFIG,’$searchdir$PROG.$SiteConfig.conf’))

The ‘searchdir’ variables hold the value of the parameter provided by the attacker from ‘configdir.’ An attacker can cause arbitrary commands to be executed by prefixing them with the ‘|’ character.

Analysis:
Successful exploitation allows remote attackers to execute arbitrary commands under the privileges of the web server. This can lead to further compromise as it provides remote attackers with local access.

Workaround:
Add a filter around the ‘configdir’ parameter by replacing the following line:

    if ($QueryString =~ /configdir=([^&]+)/i)
    {
        $DirConfig=&DecodeEncodedString(‘$1’);
    }

With:

    if ($QueryString =~ /configdir=([^&]+)/i)
    {
        $DirConfig=&DecodeEncodedString(‘$1’);
        $DirConfig=~tr/a-z0-9_-/./a-z0-9_-/./cd;
    }

Vendor response:
This vulnerability is addressed in AWStats 6.3, available for download at: http://awstats.sourceforge.net/#DOWNLOAD

Exploit:
The following URL will create a file named ‘id’ in the tmp directory of the remote server with the content of the command /usr/bin/id:
http://vulnerable/cgi-bin/awstats.pl?configdir=/usr/bin/id%20%3E%20/tmp/id%20|%20

Disclosure timeline:
10/21/2004 – Initial vendor notification
01/02/2005 – Initial vendor response
01/17/2005 – Public disclosure’

Categories: News