-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I finally got my hands on an exploit that will provide a
remote shell (not root) for php < 4.0.6. It claims to exploit
the following setups:
(1) Debian 2.2r3 / Apache 1.3.20 / PHP 4.0.3
(2) Debian 2.2r3 / Apache 1.3.9 / PHP 4.0.3p1
(3) Debian 2.2r3 / Apache 1.3.9 / PHP 4.0.3p1
(4) Debian 2.2r3 / Apache 1.3.9 / PHP 4.0.3p1
(5) Debian 2.2r3 / Apache 1.3.9 / PHP 4.0.3p1
(7) Debian 2.2r3 / Apache 1.3.20 / PHP 4.0.5
(8) RedHat 7.1 / apache-1.3.19-5 from RPM / PHP/4.X
(9) Mandrake 8.0 / apache-1.3.19-3mdk from RPM / PHP/4.X
I had some success running it against RH 7.1. It causes
apache to segfault in RH 7.2 (good indication that there
may be a possible exploit).
Advice:
- - upgrade php
The exploit needs to be able to 'POST' to a php url to work.
It is a bit hard to pick it out in the apache log. Here
is what you may see:
Access Log:
(the 'HEAD' is optional, but by default the exploit will
check first if the server is in its list of possible targets)
[26/Feb/2002:17:56:25 -0500] "HEAD / HTTP/1.1" 200 0 "-" "-"
On RH 7.2 I see this...
1.2.3.4 - - [26/Feb/2002:17:48:35 -0500] "POST /phpinfo.php
HTTP/1.1" 200 12083 "http://targetname/index.html"; "Mozilla/4.0
(compatible; MSIE 5.5; Windows NT 5.0)"
On RH 7.1, you will not the the POST. But you may see things
like this in your error log:
[Tue Feb 26 17:56:31 2002] [error] [client 1.2.3.4] Invalid method
in request ls /tmp
(in this case, I did attempt to execute 'ls /tmp' )
- --
- -------
jullrich@euclidian.com Join http://www.DShield.org
Distributed Intrusion Detection System
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8fB/5wWQP+4im9DYRApkTAKCyncIqDy4lr84ARy962tGxTabtDwCaA8xG
Jq4SH6kYUYR53ZEJHwOna+4=
=kbGQ
-----END PGP SIGNATURE-----