[2952] in WWW Security List Archive
Re: 'phf' cgi-bin attack
daemon@ATHENA.MIT.EDU (Derek Gottfrid)
Tue Sep 17 10:14:55 1996
Date: Tue, 17 Sep 1996 08:44:01 -0400 (EDT)
From: Derek Gottfrid <dgu@webster.rtpnc.epa.gov>
To: "Jordi \"=?iso-8859-1?Q?Matem=E0tic?=\" Salvat" <jordi@webarna.com>
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <323DD2B8.4EAC@webarna.com>
Errors-To: owner-www-security@ns2.rutgers.edu
The phf attack is well know and documented in two CERT advisory. Phf is
intended to be used as a gateway to the ph program, that allows for
phonebook lookups. The program has been distributed with NCSA and Apache
as one of the supplied CGI-BINs. Many people don't even realize they are
running it. I would recommend removing phf immediately and if you need
to run it they have patches available from CERT. The problem arises
cause the newline character is not parsed out and the users args are put
on the command line. So a simple %0a (newline in hex) and a couple %20
(space) and they can run any command on your system.
Plugs those holes.
On Mon, 16 Sep 1996, Jordi "=?iso-8859-1?Q?Matem=E0tic?=" Salvat wrote:
> Many Spanish ISPs are receiving attack attempts on their WWW servers...
> they detect them on their log files in entries such as:
>
> info26.jet.es - - [04/Sep/1996:03:17:21 +0100] "GET
> /cgi-bin/phf?Qalias=x%0a/bin/ls%20-la%20/ HTTP/1.0" 404 -
> infovia36_bcn.tinet.fut.es - - [04/Sep/1996:08:52:05 +0100] "GET
> /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
> ia245.arrakis.es - - [04/Sep/1996:14:45:35 +0100] "GET
> /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
> modem5.mrbit.es - - [09/Sep/1996:04:38:21 +0100] "GET
> /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
> modem5.mrbit.es - - [09/Sep/1996:06:15:21 +0100] "GET
> /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
> ppp03.las.es - - [12/Sep/1996:20:17:22 +0100] "GET
> /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
>
> Obviously attempting to get the passwd file.
>
> What is curious about these attacks is that they all come from different
> dial-up providers, from users apparently scattered throughout Spain.
> Maybe an "organized" group who meets and exchanges ideas over the I-net?
> There has also been a few attempts apparently comming from the US. Of
> course most providers have initiated action to find out who those
> cracker-apprentices are, and warn them that what they are doing is a
> delict under the new Spanish Penal Laws.
>
> At lease one of these attacks has been successful. The hacker then
> reportedly managed to find out root password (bad password choice?) and
> replaced the getty and getty to leave a 'backdoor'. The hacker was
> reportedly invisible to 'who' and 'last', so the only way to know
> whether he was logged in was to look at the process list.
>
> Does anyone know what this 'phf' cgi-bin is supposed to be?
>
> Thanks for your help.
> --
> Jordi Salvat i Alabart
> Web Edicions Barcelona
> edicions i consultoria Internet
> http://www.webarna.com
>
>
>
