?
Solved

Perl being hacked

Posted on 2006-04-15
13
Medium Priority
?
229 Views
Last Modified: 2012-05-05
Hello,

I'm having a problem with one customer's server someone found a way to make perl run scripts on that server and I do not know if that's a perl bug or if there is something I can disable to make it stop... here is the line from the log file

65.7.178.227 - - [15/Apr/2006:03:33:53 -0400] "GET /cgi-bin/master.cgi?page=|perl%20-e%20%22print%20%5C%22%5C043%5C041%5C057%5C165%5C163%5C162%5C057%5C142%5C151%5C156%5C057%5C160%5C145%5C162%5C154%5C012%5C165%5C163%5C145%5C040%5C123%5C157%5C143%5C153%5C145%5C164%5C073%5C040%5C165%5C163%5C145%5C040%5C111%5C117%5C072%5C072%5C110%5C141%5C156%5C144%5C154%5C145%5C073%5C040%5C165%5C163%5C145%5C040%5C120%5C117%5C123%5C111%5C130%5C073%5C040%5C044%5C160%5C162%5C157%5C164%5C157%5C040%5C075%5C040%5C147%5C145%5C164%5C160%5C162%5C157%5C164%5C157%5C142%5C171%5C156%5C141%5C155%5C145%5C050%5C047%5C164%5C143%5C160%5C047%5C051%5C073%5C%22%22%20%3E/var/tmp/.mixed.2006| HTTP/1.1" 200 5

the file .mixed.2006 was there when I looked

Thank you in advance
0
Comment
Question by:adcentrix
  • 6
  • 6
13 Comments
 
LVL 15

Expert Comment

by:m1tk4
ID: 16460749
This is a vulnerability in "master.cgi" - Perl by itself has nothing to do with it. Apparently, master.cgi does not do necessary checks for the safety of passed parameters and a request like this one makes it do something it's not supposed to do.

To make it stop you need to either disable or fix "master.cgi", your Perl is fine.

Unfortunately, I can't help you more without knowing what that master.cgi does.
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16461081
This vulnerability could have been around for ages!:

http://seclists.org/lists/vuln-dev/2001/Jun/0006.html

June 2001?

It looks as if it is part of a link exchange system:

http://www.scriptgateway.com/scripts/cgiandperl/link_checking/s307492-link_master_v4_0.html

that is no longer supported.

Solution - get rid of the master.cgi script!

HTH:)
0
 

Author Comment

by:adcentrix
ID: 16461101
Thanks for the response, but this is happening with all the scripts on the server, it's not just this one... It's part of an ecommerce software that we developed under perl... It's running in other server without a problem...

I looked in the log and the inspostor is able to run any command that the user NOBODY is able to run if connected to the console... just by adding a pipe | at the end of the script and after that the command that is supposed to be run by the server...

Thanks
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:adcentrix
ID: 16461118
Is there sometype of command or instruction that I should add to the script to make it more secure? I only have the perl location line and after that I start with my own code? is that correct or it should have something else?
0
 

Author Comment

by:adcentrix
ID: 16461126
Maybe there is a way to ignore anything after a pipe | that is sent on the URL? Anyone knows anything about that?
0
 
LVL 15

Expert Comment

by:m1tk4
ID: 16461166
>> Is there sometype of command or instruction that I should add to the script to make it more secure? I only have the perl location line and after that I start with my own code? is that correct or it should have something else?

I don't quite understand what you mean by "perl location line".

Your vulnerability is in your ecommerce software code, and it is similar to this one: http://www.kb.cert.org/vuls/id/496064, http://sans.org/resources/malwarefaq/guestbook.php (they provide ways to fix it too). If it happens to all your scripts on the server, they all have the same problem. Even if you did something on the other server to protect yourself from this (and you can do it by doing a url rewrite detecting presense of | characters in the request) your real problem is your code in the ecommerce suite you are talking about, and you still need to fix it.
0
 
LVL 15

Expert Comment

by:m1tk4
ID: 16461185
>>Maybe there is a way to ignore anything after a pipe | that is sent on the URL? Anyone knows anything about that?

If it's Apache, you can use mod_rewrite to detect and block that - see http://httpd.apache.org/docs/2.0/misc/rewriteguide.html
0
 

Author Comment

by:adcentrix
ID: 16461241
It's an apache version 1.3.33 and the script has the open function on it...

That's nice but do you know how to use this command? and where should I add the command on the httpd.conf?

is this correct?
RedirectMatch ^|$ http://www.google.com/

Thank you very much for your help...
 

0
 
LVL 15

Expert Comment

by:m1tk4
ID: 16461258
No, something like this:

RewriteRule (.*)\|(.*) / [forbidden]

| is a special character in regexp and needs to be escaped.
0
 
LVL 15

Expert Comment

by:m1tk4
ID: 16461265
You can add it pretty much anywhere, .htaccess, <VirtualHost> container, <Directory> - it all depends on how your web server configuration is structured. Don't forget to add RewriteEngine on before it. See http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html#rewriterule for detailed info on all rewrites.
0
 

Author Comment

by:adcentrix
ID: 16461360
I tried to add to the .htaccess and the <directory> but it does not affect the problem... it still accepts the command and does not forward to the forbiden page

Any suggestion?
0
 
LVL 15

Accepted Solution

by:
m1tk4 earned 2000 total points
ID: 16461495
RewriteRule (.*)\|(.*) / [forbidden,qsappend]

Sorry, missed that one. Before you try it try just requesting simething like /blabla|.htm to see if you placed it in the right container.

By default RewriteRule doesn't parse the query strings.

Again, you still should fix your software, because mod_rewrite only lets you control GET requests, but POST requests may still circumvent this.
0
 

Author Comment

by:adcentrix
ID: 16461690
Thank you very much m1tk4
It worked, I also fixed the problem on our software...

Have a nice weeked...
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Loops Section Overview
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question