[UNIX] AWStats ShowInfoURL Remote Command Execution

From: SecuriTeam (support_at_securiteam.com)
Date: 08/10/05

  • Next message: SecuriTeam: "[NT] Vulnerability in Print Spooler Service Allows Remote Code Execution (MS05-043)" 
    To: list@securiteam.com
Date: 10 Aug 2005 15:03:17 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      AWStats ShowInfoURL Remote Command Execution
    ------------------------------------------------------------------------

    SUMMARY

    " <http://awstats.sourceforge.net/> AWStats is a free powerful and
    featureful tool that generates advanced web, streaming, ftp or mail server
    statistics, graphically. "

    Remote exploitation of an input validation vulnerability in AWStats allows
    remote attackers to execute arbitrary commands.

    DETAILS

    Vulnerable Systems:
     * AWStats version 6.3 and prior

    Immune Systems:
     * AWStats version 6.4

    AWStats is a logfile analysis tool that generates reports for ftp, mail
    and web traffic. The problem specifically exists because of insufficient
    input filtering before passing user-supplied data to an eval() function.
    As part of the statistics reporting function, AWStats displays information
    about the most common referrer values that caused users to visit the
    website. The referrer data is used without proper sanitation in an eval()
    statement, resulting in the execution of arbitrary perl code.

    Shown as follows, the $url parameter contains unfiltered user-supplied
    data that is used in a call to the Perl routine eval() on lines 4841 and
    4842 of awstats.pl (version 6.4):

    my $function="ShowInfoURL_$pluginname('$url')";
    eval("$function");

    The malicious referrer value will be included in the referrer statistics
    portion of the AWStats report after AWStats has been run to generate a new
    report including the tainted data. Once a user visits the referrer
    statistics page, the injected perl code will execute with permissions of
    the web service.

    Successful exploitation results in the execution of arbitrary commands
    with permissions of the web service. Exploitation will not occur until the
    stats page has been regenerated with the tainted referrer values from the
    http access log. Note that AWStats is only vulnerable in situations where
    at least one URLPlugin is enabled.

    Workaround:
    Disable all URLPlugins in the AWStats configuration.

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1527>
    CAN-2005-1527

    Disclosure Timeline:
    05/12/2005 - Initial vendor notification
    08/09/2005 - Public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:idlabs-advisories@idefense.com> iDEFENSE.
    The original article can be found at:
    <http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Vulnerability in Print Spooler Service Allows Remote Code Execution (MS05-043)"

    Relevant Pages