Bug 158521 - Remote Command Execution
Remote Command Execution
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: awstats (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Warren Togami
Fedora Extras Quality Assurance
http://www.securityfocus.com/bid/12298
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-23 05:38 EDT by Alan Olsen
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-31 05:35:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alan Olsen 2005-05-23 05:38:54 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
There are a number of remote execution bugs in any version of awstats prior to 6.4.  This is very serious as it is actively being exploited in the wild.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Run sploit
2. Run any binary as "apache" user.
3. Profit.
  

Actual Results:  My server got a present from a script kiddy.

Expected Results:  Should not allow people to run executables via the awstats program.

Additional info:

Do a keyword search for "awstats" and you wiull get a list of the problems. This is probably a bug in FC2 and any other version of awstats.
Comment 1 Michael Schwendt 2005-05-23 08:17:34 EDT
> This is probably a bug in FC2 and any other version of awstats.

No, of course not. Fedora Extras for FC3 and later is not affected.
Comment 2 Warren Togami 2005-05-23 15:53:21 EDT
Is FC4 extras fixed?  Somebody put the desired package into FC-2 and earlier
branches and I'll build them into fedora.us.
Comment 3 Alan Olsen 2005-05-23 17:57:42 EDT
Yes.  6.4 does not have the remote execution bugs.  It does have the debug flag
problem, but that is just information disclosure.  I have not tested 6.5 to see
if the debug flag hack still works.  

Here is the trivial debug hack.  Reveals various info on install locations.

http://www.example.com/cgi-bin/awstats-6.4/awstats.pl?debug=1
http://www.example.com/cgi-bin/awstats-6.4/awstats.pl?debug=2

Comment 4 Michael Schwendt 2005-05-23 18:47:36 EDT
Well, then at least the ticket ought to be left assigned to Aurelien -- why was
he dropped?!
Comment 5 Alan Olsen 2005-05-24 01:46:17 EDT
The instructions on fedora.us said to change who the bug was assigned to, so I
did. If that is not correct then change the web page and this bug.  I just want
to see it fixed.
Comment 6 Warren Togami 2005-05-24 02:02:24 EDT
I need to improve the instructions on fedora.us.  I suppose adding CC is good
enough so I am aware of it.  I should also give details about what exactly
should go into Extras CVS to prep the package, like "use the old fedora.us disttag".
Comment 7 Aurelien Bompard 2005-05-24 03:21:45 EDT
Since awstats is a noarch package, you should just download the FC3 version
(6.4) and "rpm -Uvh" it.
IIRC, FC1 is not supported anymore at Fedora.us. I don't know about the status
of awstats in Fedora Legacy though.
So for the moment, your best solution is to download the updated version from
the FC3 repository.
Comment 8 Alan Olsen 2005-05-24 03:39:10 EDT
The indication is that it is not supported EXCEPT for security issues.

I an patch my server because I know there is a problem.  (Because I fell victim
to it.)  Others may not even remember they have it installed.

The FC3 version should be built for FC1 and FC2.  (Both FC1 and FC2 versions of
awstat are vulnerable.)  That will at least catch the people who have yum
auto-updating.
Comment 9 Michael Schwendt 2005-05-24 06:42:53 EDT
You should not be running legacy FC2 or FC1 on an Internet facing server
anymore. In particular not if you rely on an extra package for which there are
no guarantees on timely security fixes. When an advisory appears on Bugtraq or
the upstream project's website, it may be too late already. Running 3rd party
awstats packages has led to otherwise secure RHEL servers being cracked multiple
times before.

I highly doubt the Fedora Legacy people do updates for Extras. Most certainly
they don't even want to do such updates because they have enough to do with FC2
and FC1.
Comment 10 Alan Olsen 2005-05-25 18:26:41 EDT
Should and can are two different things.

Some people cannot upgrade at the moment due to either time or other legacy
software or inability to get to the hardware.  (I have one set of servers that
are 300 miles away.  I cannot get to them without blowing a couple of days, not
to mention having to rewrite mod_perl code to work with the later versions.)

Besides...  What part of "remote command execution exploit" do you not understand?

I should not have to have this argument.  The web page clearly states that the
only time software will be patched is for security issues.  This is a very big
security issue that is actively being exploited in the wild.

Not everyone can upgrade at the drop of a hat.  Some people are waiting for FC4
before they upgrade.  No matter what, the package needs to be fixed NOW.
Comment 11 Warren Togami 2005-05-28 02:26:58 EDT
http://download.fedora.us/pending/fedora/1/i386/RPMS.stable/
Please test the binary from here and report back.  I built FC4's awstats into
rh8, rh9, fc1 and fc2 Extras because "remote command execution" is quite bad.  I
have no idea if this package actually works, so I will depend entirely on your
FC1 report to decide if this goes into stable.

If it breaks the other distributions, good... broken is better than vulnerable.
Comment 12 Warren Togami 2005-05-30 21:51:10 EDT
Alan, it is horribly irresponsible of you to complain so loudly then fail to
respond to a simple request to test binaries.
Comment 13 Alan Olsen 2005-05-31 05:21:14 EDT
Sorry. Memorial day weekend was busy for me.  Other obligations.

The package upgrades.  Gives an error "error: %postun(awstats-6.1-0.fdr.6)
scriptlet failed, exit status 1".  Seems to upgrade OK though.

After running the setup program, it runs correctly.  

The debug exploit does not work with the default configuration.
Comment 14 Warren Togami 2005-05-31 05:31:40 EDT
Sorry, I should have been more patient than that.

Hmm that failed scriptlet is worrisome.  We need to figure out what's causing that.
Comment 15 Warren Togami 2005-05-31 05:35:24 EDT
FC1 right?   I installed the old version in a FC1 chroot, then upgraded manually
to the new package, and unable to reproduce this problem.  I suppose it isn't
too bad because it is %postun of the old version.  Pushing the update now.

Get:1 http://download.fedora.us fedora/1/i386/stable awstats 6.1-0.fdr.6 [864kB]
Fetched 864kB in 0s (8236kB/s)
Committing changes...
Preparing...                ########################################### [100%]
   1:awstats                ########################################### [100%]
rpm -Done.
U[root@build-1 tmp]# rpm -Uvh awstats-6.4-1.fc1.noarch.rpm
Preparing...                ########################################### [100%]
   1:awstats                ########################################### [100%]
Comment 16 Michael Schwendt 2005-05-31 05:48:21 EDT
Bad theory. Since %postun in new awstats package is the same, it would suffer
from the same problem during future updates. But the scriptlet looks okay. Alan
might want to check why "/sbin/service httpd condrestart" fails for him.

Note You need to log in before you can comment on or make changes to this bug.