Login   |   ITaP Home

 

ITNS ADVISORY ITNS-2005-022401 AWStats 5.0 - 6.2

Original release date: 2/24/2005
Last revised: 2/242/2005
Source: Purdue IT Security and Policy
URL: http://www.itap.purdue.edu/security/

CONTENTS
-------------------
1.   SYSTEMS AFFECTED
2.   OVERVIEW
3.   DETAILED DESCRIPTION
4.   IMPACT AND ACTIONS
5.   SOLUTION
6.   FURTHER INFORMATION
7.   IT SECURITY AND POLICY CONTACT INFORMATION

SYSTEMS AFFECTED
--------------------
Unix systems running the AWStats versions 5.0 - 6.2 statistical package as a cgi are vulnerable to a remote arbitrary command execution attack. Windows systems running AWStats have not been observed to be compromised at this time, however, users of AWStats on Windows systems should take appropriate actions to ensure that their version is not vulnerable.

(http://awstats.sourceforge.net)

OVERVIEW
--------------------

A new exploit released on the 21st of February allows remote attackers to execute arbitrary commands on systems running AWStats as a .cgi.

DETAILED DESCRIPTION
-----------------------

A number of vulnerabilities in AWStats allow remote command execution:

Systems may be vulnerable if they allow remote users to update the page. This requires "AllowToUpdateStatsFromBrowser=1" \ to be set).

The "searchdir" variables used by the AWStats script can be used to execute commands by prefixing them with "|" character. This allows remote command execution and possible compromise.

The "update & logfile" utilities can be exploited in a similar manner.

The "pluginmode" setting can be fed specially crafted commands allowing remote command execution.

Exploits have been observed on campus - the following is a profile of one such exploit:

Creation of "/var/tmp/ " and dropping the following files:

    ap.c
    paw2.tar.gz
    awscan/
    inst
    login*
    login.tar.gz
    miro.tgz
    sendmail: accepting connections *
    sk*
    uselib24*
    uselib24.c
    wx.tar.gz

IMPACT AND ACTIONS
---------------------
Systems running AWStats may be compromised and used for additional outbound scanning or other purposes. Administrators of systems running AWStats should immediately upgrade their installation to the most recent version of AWStats.

Version 6.4 is currently available and fixes both this hole and a second security bug.

SOLUTION
--------------------
Update to version 6.4 of AWStats or discontinue use of AWStats as a CGI.

FURTHER INFORMATION
--------------------
Analysis of the vulnerabilities can be found at: http://packetstorm.linuxsecurity.com/0501-exploits/AWStatsVulnAnalysis.pdf

IT SECURITY AND POLICY CONTACT INFORMATION
------------------------------------------
Purdue University IT Security and Policy can be contacted at:
itap-securityhelp@purdue.edu

Abuse incidents can be reported to: abuse@purdue.edu

If you believe that a crime has been committed, please contact your local police department.