“php shell script on my server”

Q:

I have a webserver where i’ve found several different php shell scripts and I’d like to know how they got there.  Are there known vulnerabilities that allow uploading of php files to a server?

I have several sites running on this server with several php script packages including…

Zencart
phpbb2

Any ideas or pointers will be appreciated!

A: Hi,

There are several vulnerabilities in both off the shelf products as well as custom PHP scripts that would allow “uploading”, in essence they don’t need to upload, they just need to get your PHP scripts to execute an arbitrary (outside) PHP script.

PHPbb has several:
http://www.securiteam.com/cgi-bin/htsearch?sort=score&words=phpbb

Listed as Code Execution, Arbitrary File Upload, etc.

While zencart has just one problem:
http://www.securiteam.com/cgi-bin/htsearch?sort=score&words=zen+cart

But that could be misleading, and just mean that the software is very uncommon.

Share

Two infosec veterans weigh in on Full Disclosure

Marcus J Ranum (MJR) says (http://www2.csoonline.com/exclusives/column.html?CID=28072)

“After 10 years of full disclosure, security has not gotten any better”.

First off, how would we know what security would have been like without full disclosure? Perhaps it could have been said that security would have gotten exponentially (or even linearly) worse. In which case, statments like “security hasn’t gotten any better” and “the number of vulnerabilities is pretty much constant” would imply that full disclosure works? But, wait, that presupposes that only one factor contributes to the state of security – which is a logical fallacy as well. Hmmm, ok. I can’t draw any logical conclusions here. Let’s go to Bruce’s argument.

Bruce says: (http://www2.csoonline.com/exclusives/column.html?CID=280723)

“Bugs exist whether or not they are disclosed in a public forum. Vendors are more responsive when it could cause bad PR. Public disclosure forces vendors to more quickly fix flaws which makes systems more secure”.

Bruce’s argument logically implies that with full disclosure we have a *potential* for better system security. Unfortunately, we can’t measure the rate at which these fixes actually get deployed and we can’t measure the rate at which crackers use publicly disclosed bugs to exploit unpatched systems. So, at the end of the day, I can’t say whether or not public disclosure actually helps the end user. I can say
that public disclosure at least creates a Potential ™ for better system security….and, that’s something.

A good portion of MJR’s article is devoted to the lambasting of security
researchers. Some quotes:

‘For longer than a decade, we’ve lived under the mob rule, where for some security consultants and companies, “marketing” has been replaced by “splashily announcing holes in commercial products to get 20 seconds of fame on CNN.” ‘

‘Now that we can look back at 10 years of what disclosure has brought us, it’s brought us…well, nothing much. Nothing much, that is, except a grey-market economy in exploits, where independent “vulnerability researchers” attempt to cash in by finding new attacks that they can sell to security companies or spyware
manufacturers—whichever bids higher. Nothing much unless you count the massive amounts of “free” marketing exposure for companies that trade in exploits.’

‘The state of ethics in the computer security industry is pathetic; it’s on par with where medicine was in the 1820s—except that some of the snake-oil salesmen in the 1820s actually believed in their products.’

‘Those of you who are playing the disclosure game are just playing for your two minutes of fame: You’re not making software better. Sure, some of you work for consultancies and startups, and it saves you a ton of money by not having to have a marketing budget, but isn’t shouting “fire!” in a crowded theater so…um, ’90s? I know that the typical security customer is (to you) an unsophisticated rube, but
that does not justify you placing them at increased risk just so you can publish a new signature for your pen-testing tool or get your funny-haired “chief hacking officer” on CNN one more time. ‘

‘Unfortunately, if you look at the last 10 years of security, it’s a litany of “one step forward, one step back,” thanks in part to the vulnerability pimps, parasites and snake-oil salesmen who flocked into the industry when they smelled money and a chance to get some attention. ‘

I think I see a little bias creeping in here and perhaps even a bit of hypocrisy.
Marcus abhors the hacker/security-researcher type. I don’t know if he hates that they are getting attention that is undue, that they are making money off the attention, or that he isn’t getting the attention that he once did. At any rate, it’s getting damn old. The guy that shouts “fire” may very well be annoying. The guy that jumps up and down shouting “Hey, he’s shouting fire” is equally annoying.
In the past, MJR has been spot-on with his analysis. Now, his ‘analysis’ seems as much a PR-trolling rant as any of the mob that he is criticizing. And, let’s not forget that Marcus gets paid by a company that discloses holes in major products and perhaps benefits from the free ‘marketing’. I bet no one is inviting this motherfucker to the company barbecue ;-)

Anonymous

Share

SecuriTeam now mirrors the month of kernel bugs (MoKB)

The original site:
http://projects.info-pull.com/mokb/

Our mirror:
http://www.securiteam.com/mokb/

Share

The real story behind BT buying Counterpane!

From “Schneier on Security“:

FLUNKY: Sir, that Schneier person called again. He left a detailed
message.
(more…)

Share

Domain Squatting in the solar system (Memory Leak #18)

Memory Leak, eighteenth strip of this new comics.

Memory Leak #18

Click on the image for full size.

Share

Earl #6 (comic strip)

Earl, sixth strip of this new comics.

Earl #6

Click on the image for full size.

Share

Memory Leak #16 (comic strip)

Memory Leak, sixteenth strip of this new comics.

Memory Leak #16

Click on the image for full size.

Share

Memory Leak #9 (comic strip)

Memory Leak, ninth strip of this new comics.

Memory Leak #9

Click on the image for full size.

Share

Hacked #2 (comic strip)

Hacked, second strip of this new comics.

Hacked #2

Click on the image for full size.

Share

Interview with Luigi Auriemma

For those of you who don’t know Luigi, he is the most respected computer games security researcher today. He regularly releases advisories reporting security holes in games, as well as in-depth analysis of network protocols and algorithms for these games.

SecuriTeam decided to conduct an interview with Luigi in order to learn more about him, and to show a part of the security world that is often overlooked.

Luigi’s native language is Italian, so please keep that in mind when reading the interview.

We would very much like to thank Luigi for the interview and for his quick response to our long list of questions.

First of all, can you tell us a little about yourself ?

Well, my name is Luigi, I’m 25 and live in Milan, Italy.
Most of the information about me is written on my website but the more important points are that I’m an atheist, I like freedom of information, games, finding security bugs, reversing and full-disclosure.
About my character, I’m often insecure, loner, unhappy and don’t have a well defined personality… oh and my memory is really very bad eh eh eh

How did you find your way to the bug/vulnerability research world ?

Simply trying. In 2001 I had a job which allowed me to stay all the time on the Internet (at that time I had a 56k modem at home and the connection cost a lot). Since then, I was very interested in security, and I started to follow the Bugtraq mailing-list.
After some time I decided to try to find bugs in some software just like the people on Bugtraq did, so I downloaded Apache for Windows (version 1.3.15 if I’m not mistaken) and tried to find a buffer-overflow using only notepad and netcat… after some tries I found something interesting, an off-by-one!
Usually there is nothing difficult in bug researching, the most important things are time and will (if you have that you already have the 99% of what you need).

Why do you research vulnerabilities in computer games, while most major bugs are in operating systems or infrastructure applications such as the recent WMF issue, or the latest MacOS-X vulnerabilities ?

I like to find bugs in games for several reasons. First, because it’s strange and rare to see security bugs in games so I have practically all the gaming world for my tests since it’s still a virgin field in security research.
Second, I like games! (I started to play games on Commodore 64, while programming arrived only recently with my interest in security) so it’s fun to find bugs in them.
And finally, games use proprietary protocols so this situation forces me to do other interesting research and make these algorithms available for public.
An example is Halo, if I didn’t reverse the encryption algorithm used for the packets, haloloop wouldn’t have existed.

Are there other vulnerability research fields that you are interested in besides computer games ?

Practically everything which is under my hands. Web and ftp servers, chat and instant messaging, multimedia players and encoders, mail clients and everything that has bugs.
I usually like to find unusual bugs (not necessarily critical) so games become important since their architecture allows a big range of strange vulnerabilities.

What do you think is the major risk involving security holes in games?

There are many risks and almost all are not actually caused by the bugs but by the attitude of some administrators and gamers.
First of all there is the absurd desire of the majority of the community to keep the holes and the information secret. It’s not uncommon to surf a web forum and see administrators ask for information about why their servers crashes and then to see that the forum moderator edit any replies in which someone refers to my website or similar research.
The same people who adopt this attitude are the ones that use the unofficial patches I create. I think that is a real shame.
Then there’s the problem of the software versions – for various reasons (server performance, amount of players and so on) many administrators and players use old and buggy game versions so they will continue to be vulnerable to all the public and undisclosed security bugs that were fixed silently in the recent patches.

Are you working in the field of security research or create computer games as your occupation ?

Oh no no, I don’t have an occupation in this field.
I would like a job in security only for increasing my knowledge but I don’t want my job and my passion to clash; my passion comes first.
About creating games, it was my dream when I was young.

As we all know, you like computer games :-) . What is the first thing that you are looking at, when you play a computer game?

I like the driving games a lot, so the first thing I look for is the game-play. It is not important if the game is an arcade or a simulation or has bad graphics since the only important thing is if I have the desire to play again with it later.

Which games are your personal favorites?

At the moment none, since I do not play with games enough right now.
Anyway I like to play online with Toca Race Driver (yes I know it’s full of security holes and game playing bugs!!!) and it’s the only game I play on the Internet.
Several months ago I started playing Downtown Race, a semi-unknown arcade racing game – very funny. There are other games that I don’t remember at the moment.
One game which is still and will always be in my memory is Unreal Tournament. It was the first game I played online and on a 56k modem with a horrible ping delay, it has a very interesting atmosphere.

What drives you to explore a certain game for bugs/security vulnerabilities ?

Lately the answer is only one: Windows 98SE as requirement and, naturally, multi-player support.
If this requirement is satisfied I launch the game client and server, sniff some packets, check if they contain something interesting and if I feel a certain inspiration I start to test the game.
Usually I try to write a fake player tool so that I’m forced to understand a bit about how the game protocol works and where it might contain flaws.
Otherwise I will do some quick in-game format string and buffer-overflow attempts just as minimal test.

Many vendors out there invented the term “responsible research” what’s your opinion?

Responsible research is the most false and misleading term I have ever heard.
There is nothing responsible in giving decisional power about the patching of a bug to the vendor, which usually means many months (it’s enough to read some advisories released by security companies)!
We must start from the idea that the underground already knows about the existed bugs, so responsible can only mean for the person/company to make these bugs public as soon as possible since leaving them unpatched for many months or years is totally insane.
Anyway there is another important thing under this term since it’s just like a weapon in the hands of the vendor.
Let me explain. Almost all the security companies adopt this type of research/disclosure which makes the vendors happy (they have all the time for fixing the bug or “not”) and the security companies too (they do this work for money so they gain partnerships, contracts and moreover visibility).
Now when an independent research finds and release a vulnerability under the full-disclosure philosophy or any other non (so called) “responsible” disclosure the vendor feels the right to pursue him since he think “why this stupid guy has not contacted or waited me for months before releasing this bug like the security companies do?”.

Why did you choose the GPL license to release all of your work?

Actually it’s the only license I know which gives freedom to both developers and users.
Only my proof-of-concept code is not released under GPL, they are just public.

Many computer users think that vulnerabilities and PoC code should not be released to public domain, and yet you publish such information using a GPL license, making it available to anyone. What do you think on the idea of “Security by Obscurity” ?

Security through obscurity has made and continues to make tons of damage so it is not important what I think, but what is the reality and what has been demonstrated in all these years.
In my experience security through obscurity has always made bad things, as already explained about the risks in games for example.
You should have watched my face when a few years ago I found the good old gshboom bug in the Gamespy SDK, I found a great crash bug versus tons of diffused games and found also that Gamespy encoded the game packets… really incredible.

What type of reaction are you getting from vendors at the computer game industry ?

Small vendors/developers are usually happy about my research, while the most well-known developers are usually the opposite. Naturally, that depends.
Anyway this is probably normal. Although games are software (NOT 2nd-grade software like many people think!) game security is still less known or usually confused with cheating.
A developer which is writing an ftp server already knows that he must avoid some security bugs while in games the first requirements are graphics, game-play, performance and game-play bugs… then if there is enough time, then security related bugs are considered.

Have you ever used your PoC on real players on computer game to take control on their machine? (come on, you can tell us ;-) )

Seems strange but I have never used my stuff in an evil way.
In some rare cases if the vendor doesn’t reply to my emails and I have some doubts about a bug I may try to see if one or two empty servers online are vulnerable.
I bet that if I had evil intentions my advisories and happiness would double!
Anyway, I think that it is a good thing that people exploit bugs when there are existing patchs for the vulnerability. That’s why I don’t blame script kiddies since they make the users aware about the existence of a problem which is better to remove before someone with more skill does a real damage.

On your web site you declare that you do not like colorful hats, so what guides you in the way you react to vulnerabilities ?

I find bugs because I like that someone with my full-disclosure philosophy finds them before others. I do not care if someone uses them for damage or to test his server since I want to be neutral.
What I really like is what kind of influence my stuff has indirectly. Maybe someone will start to find interest in security after having read my advisories, or perhaps someone will like my philosophy or maybe other people will now be more aware of the existence of a less known software which I have tested and so on.

Was there a time that you thought that it was a bad idea to release an advisory to the public after you already released it ? If so, what was it and why ?

Sure, the cause is, as always, my personal insecurity.
In fact sometimes I’m not satisfied by the description of the vulnerability I have written in the advisory or I feel there is something incomplete.
The best example is one of my oldest advisories (Pegasus mail) where I also released a patcher which fixed the bug but didn’t allow to send mails… blah.
Now when I release an unofficial fix I test it many times.
A few months ago I decided to release some advisories only on my website when I’m in doubts. Thats also true if the vulnerability is not so dangerous or the software is still a beta or really poor diffused.

Would you like to be paid for your research? What if it meant that you cannot release the information to the public, only to the company who paid you for it, so that they can release it under their name?

That’s horrible! I prefer my name and my freedom, money can wait.
One of the biggest pleasures is just releasing your own stuff with your name on top of the advisory and be credited for the vulnerability.

If tomorrow a game vendor will come to you and say “Luigi, I’m willing to give you any amount of money, just find all of the possible vulnerabilities that my game has” will you take such offer?

This has already happened and I have refused.

What is the game that you willing to tell people “don’t even come close to it !” regarding the a mount of vulnerabilities and or vendor response ?

Eh eh eh you already know the answer for this question!
Fortunately all the bad things (bugs and hidden code) I have found in the Gamespy software are all documented so there is nothing more I need to say… it’s enough to watch my Advisories and Research page and then check the existence of the Gamespy logo behind the packages of the games in the stores.

On your web site you stated that you do not contact vendors that you tried before and did not responded or fixed the vulnerability you found in the past. Are there many vendors that act this way ? Are there any ‘saints’ vendors that surprised you with good response?

I want to start and talk about the vendors which surprised me with their quick response and the first example is Punkbuster, unfortunately a mail problem (now solved!) didn’t allow me to receive their mails and the absence of explanations and credits (the independent researchers like credits and in this case they were useful too!) in the changelog of the new version created a misunderstanding.
Anyway usually the open source community is faster to reply to my security reports but I had also many good surprises from some game developers which were very happy of my reports.
In the “bad guys” group I’m forced to place Gamespy (not only for the cease and desist but just for their attitude) and all the others that have never replied to my mails and fortunately I don’t remember in this moment.

Are you worried about the DMCA and similar rules being used against you to drag you in court by a large corporate?

Not anymore. The experience with Gamespy (which pulled back the cease and desist letter, so no court time or money was spent) was very useful about this matter.
Also the recent news regarding Guillermito, that now must pay for something in which only the vendor should be punished.

Share

Administrivia: Blog Requests over the past week

Hello.

To those of you who may have emailed us over the past week:
We’ve been experiencing some problems and it is possible (although not likely) that your email message did not reach us.

Please email us again, and we would be happy to add you to our blog authors circle. :)

Thanks,
The SecuriTeam Blogs community.

Share

Bypassing Gmail Executable Blocking

“as a security measure to prevent potential viruses, gmail doesn’t allow you to send or receive executable files (such as files ending in .exe) that could contain damaging executable code.

gmail won’t accept these file types even if they are sent in a zipped (.zip, .tar, .tgz, .taz, .z, .gz) format. if this type of message is sent to your gmail account, it is bounced back to the sender automatically.

you can send and receive messages up to 10 megabytes (mb) total (including attachments). any message that exceeds this limit will not be delivered to your inbox and will be returned to the sender.”

(information from google)

recently i needed to send someone an exe file using my gmail account.
well, from the gmail faq quote above, you can understand that i can not send a windows executable file (or a file with .exe extension).

you may think that exe is out of the question… or is it? (muha muha muha .. sorry – Sunshine influenced me).

well it seems that exe files compressed with rar or ace are ignored. yep, i can use rar to compress an exe and send it to you using gmail. but checking if ‘elf’ binaries can be sent through gmail led me to an interesting conclusion:

do i really need rar?! all i need is to change the extension of the file and gmail will gladly accept it.

now you may ask yourself, why the hell am i writing this on my blog instead of notifying google?

well, i went to google contact us (took me a while to find it with all of the latest portal they giving us), and found a nice email: security@google.com. now when i sent this information (with more details, btw) to google, this was the reply:

from: “gmail team”
hello,

thanks for contacting us. we aren’t able to respond directly to inquiries
submitted to this email address.

please visit our help center at http://gmail.google.com/support/, or by
clicking ‘help’ at the top of any gmail page within your account. our help
center provides answers to the most commonly asked questions, and offers
information about gmail and all of its features.

if you are unable to log in to your gmail account, please follow the steps
to reset your password by clicking ‘forgot your password?’ on

http://gmail.google.com.

sincerely,

the gmail team

——
if you’d like to learn more about how gmail’s features work, check out the
gmail help discussion (http://groups.google.com/group/gmail-abcs) where
our users share helpful tips and tricks with one another.
——”

hey, i contacted security, not support ! so i said to myself, lets send this to the webmaster of gmail. well, addresses webmaster@gmail.com, security@gmail.com and webmaster@google.com do not exists! i received bounces back on all those emails…

the date of contacting them was: december 4th, 2005, and i waited until today to see maybe they will contact me… guess what… they did not.

so, i tried to do something else (that actually did not work o_o): i sent a virus without using the .exe extension. but it turns out the gmail antivirus actually found my virus (well, at least that!).
but then again i used some very old win32 virus :)

anyway, if any of you have 0-days out there to send using gmail, have no fear, because for now, gmail will not block it.

and for google, please make better ways for contacting you, and please do read things that may sounds like support request. or at least make a place to report bugs etc… even microsoft has one.

Share