Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

httpd.conf misconfiguration (ScriptAlias) remote code execution.

  • 13-08-2013 04:02PM
    #1
    infodox
    Registered Users, Registered Users 2 Posts: 126 ✭✭


    TL;DR check your httpd.conf or apache2.conf files for "ScriptAlias". A whole bunch of crap setup guides for Apache, along with a load of third party software, introduce a trivially exploitable remote code execution flaw.

    http://insecurety.net/?p=912

    Exploit code included for testing for this vulnerability, which one can also *introduce* into a webserver as a backdoor for fun and profit.


Comments

  • #2
    Khannie
    Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    That's a dirty little back door.

    Thanks for the heads up. Checked a few sites I'm semi-responsible for.


  • #3
    syklops
    Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    I wonder could we, and by we, I mean someone with more time in the day than me and write an nmap plugin which looks for this vulnerability?

    Would be very handy for those who frequent this forum who manage large numbers of websites.


  • #4
    [-0-]
    Closed Accounts Posts: 3,981 ✭✭✭[-0-]


    EDIT: got it working.

    Hilarious.


  • #5
    Khannie
    Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    syklops wrote: »
    I wonder could we, and by we, I mean someone with more time in the day than me and write an nmap plugin which looks for this vulnerability?

    Would be very handy for those who frequent this forum who manage large numbers of websites.

    They do have a python script on their github repo that checks a known server on port 80 for the vulnerability. Wouldn't be too much trouble to hack and slash that to hook it up to nmap I'd say.


  • #6
    [-0-]
    Closed Accounts Posts: 3,981 ✭✭✭[-0-]


    Wouldn't be hard to write a wrapper script to call both.


  • Advertisement
  • #7
    Khannie
    Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    That's what I was thinking, but the python script defaults to port 80, so you'd need to add an arg for port, which you'd need to get from nmap. I think it would be handy enough though.


  • #8
    syklops
    Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Khannie wrote: »
    That's what I was thinking, but the python script defaults to port 80, so you'd need to add an arg for port, which you'd need to get from nmap. I think it would be handy enough though.

    Can you not specify the port in the url? e.g.:

    lolapache.py [url]www.boards.ie:31337[/url]


  • #9
    Khannie
    Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Didn't test, so maybe. Had git cloned it to /tmp so it's gone now and not arsed regetting. :)


  • #10
    infodox
    Registered Users, Registered Users 2 Posts: 126 ✭✭infodox


    You can specify port like so, yes. I may write an NSE later on if I have time, currently "fixing" someone else's positively hideous exploit code. In that repo you will find several other exploits I wrote, varying in their lol-worthiness.


Advertisement