[VIM] AWStats question [CVE 2005-0362 & 2005-0436]

Steven M. Christey coley at linus.mitre.org
Mon May 2 15:07:55 EDT 2005 

On Sun, 1 May 2005, security curmudgeon wrote:

>
> CAN-2005-0362 / OSVDB 1000034
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=294488
>
> awstats.pl in AWStats 6.2 allows remote attackers to execute arbitrary
> commands via shell metacharacters in the (1) "pluginmode", (2)
> "loadplugin", or (3) "noloadplugin" parameters.
>
>
> CAN-2005-0436 / OSVDB 13832
> BUGTRAQ:20050214 AWStats <= 6.4 Multiple vulnerabilities
> URL:http://www.securityfocus.com/archive/1/390368
>
> Direct code injection vulnerability in awstats.pl in AWStats 6.3 and 6.4
> allows remote attackers to execute portions of Perl code via the
> PluginMode parameter.

These two were SPLIT based on (1) differing affected versions, as reported
(6.2 vs. 6.4), and probably (2) different vuln types, "shell
metacharacters" vs.  "direct code injection" (my throwaway term for piping
code directly into an "eval" statement or the equivalent, which only has a
dozen or two published examples I would guess.)

Note how you could "fix" a shell metacharacter problem but still be
vulnerable to feeding portions of code directly into an eval, e.g. an
input of "exit" contains no shell metachars but would still cause the Perl
"exit" function to be called if it's piped into an eval.  Or "print
FILEHANDLE XXXX" or "system ls" or "return TRUE" or whatever.

But looking deeper, the question becomes whether pluginmode is/was
vulnerable to shell metacharacters, then another question becomes whether
the "direct code injection" was fully fixed.

The Debian bug report 294488 includes an Ubuntu diff from here:

  http://patches.ubuntu.com/patches/awstats.more-CAN-2005-0016.diff

(note the typo in the CVE ID in that URL; it should have been
CAN-2005-0116).

The changelog in the Ubuntu diff implies shell metacharacters in
pluginpage:

  wwwroot/cgi-bin/awstats.pl: remove all non-path characters from the
  "config", "pluginmode", "loadplugin", and "noloadplugin" parameters
  (which are defined by the remote user) to prevent execution of arbitrary
  shell commands through shell metacharacters.

[the "config" was SPLIT off the others because it was also in 4.0, where
the others weren't, and CVE splits on different affected versions).

However, they also include this reference:

  http://packetstormsecurity.nl/0501-exploits/AWStatsVulnAnalysis.pdf

which is really "direct code injection" into an eval, i.e.

  1) The code example shows $PluginMode being fed into an eval statement:

     if ($PluginMode) { if ($PluginMode) {
      my $function="BuildFullHTMLOutput_$PluginMode()"; my
      $function="BuildFullHTMLOutput_$PluginMode()";
      eval("$ eval("$function");

  2) the sample exploit given is:

     http://xxx/awstats/awstats.pl?pluginmode=:system ("/bin/ls");.

Which isn't shell metacharacters.


So, *was* pluginpage actually vulnerable at one point to shell
metacharacters?

This I don't know and don't have the time at the moment to research.

And there's yet another question - is the Ubuntu patch actually sufficient
to fix all Perl execution?

I suspect that's what this post is about:

  (CAN-2005-0436)
  BUGTRAQ:20050214 AWStats <= 6.4 Multiple vulnerabilities
  URL:http://www.securityfocus.com/archive/1/390368

where the inputs contain nothing but a colon, alphabetic characters, and
spaces - which pass the regexp cleanser - but are still fed directly into
the eval.

Interestingly, Ubuntu's patch doesn't seem to allow the ":" so maybe the
bug is still in the original AWStats source, but not some of the Linux
distributions.

A nice little mess!

> First question is how CVE differentiates between "commands via shell
> metacharacters" and "direct code injection".

Hopefully the previous explanation highlights some of that difference, but
"different vuln type" can be a judgment call sometimes.

> Second question is, are 'PluginMode' and 'pluginmode' the same params, or
> is the script case sensitive and these are two different variables?

According to this patch URL and others:

  http://patches.ubuntu.com/patches/awstats.more-CAN-2005-0016.diff

the external parameter name is "pluginmode" but its value is saved in the
internal Perl variable named $PluginMode.

- Steve

More information about the VIM mailing list