PHP content-disposition vuln

From: Roland von Herget (rhergetat_private)
Date: Tue Jun 25 2002 - 10:05:43 PDT

Next message: Don Weber: "RE: [incidents] Re: backdoor"

Previous message: Hugo van der Kooij: "Re: backdoor"
Next in thread: Stefan Esser: "RE: PHP content-disposition vuln"
Reply: Stefan Esser: "RE: PHP content-disposition vuln"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

snort picked up the following yesterday evening:
[complete packeted dump attached]

[GMT+1, yesterday]
49649| [18:39:00] 65.89.43.125:4053 -> a.b.c.4:80  php content-disposition
49648| [18:39:00] 65.89.43.125:4053 -> a.b.c.4:80  SHELLCODE x86 EB OC
NOOP
49647| [18:39:00] 65.89.43.125:4053 -> a.b.c.4:80  SHELLCODE x86 EB OC
NOOP
49646| [18:39:00] 65.89.43.125:4053 -> a.b.c.4:80  SHELLCODE x86 EB OC
NOOP
49645| [18:39:00] 65.89.43.125:4053 -> a.b.c.4:80  php content-disposition
49644| [18:39:00] 65.89.43.125:4040 -> a.b.c.4:80  php content-disposition
49643| [18:39:00] 65.89.43.125:4039 -> a.b.c.4:80  php content-disposition
49642| [18:38:59] 65.89.43.125:4038 -> a.b.c.4:80  php content-disposition
49641| [18:38:59] 65.89.43.125:4037 -> a.b.c.4:80  php content-disposition
49640| [18:38:59] 65.89.43.125:4036 -> a.b.c.4:80  php content-disposition
49639| [18:38:58] 65.89.43.125:4035 -> a.b.c.4:80  php content-disposition
49638| [18:38:58] 65.89.43.125:4034 -> a.b.c.4:80  php content-disposition
49637| [18:38:58] 65.89.43.125:4033 -> a.b.c.4:80  php content-disposition
49636| [18:38:58] 65.89.43.125:4032 -> a.b.c.4:80  php content-disposition
49635| [18:38:57] 65.89.43.125:4031 -> a.b.c.4:80  php content-disposition
49634| [18:38:55] 65.89.43.125:4018 -> a.b.c.34:80  php
content-disposition
49633| [18:38:55] 65.89.43.125:4018 -> a.b.c.34:80  SHELLCODE x86 EB OC
NOOP
49632| [18:38:55] 65.89.43.125:4018 -> a.b.c.34:80  SHELLCODE x86 EB OC
NOOP
49631| [18:38:55] 65.89.43.125:4018 -> a.b.c.34:80  SHELLCODE x86 EB OC
NOOP
49630| [18:38:55] 65.89.43.125:4018 -> a.b.c.34:80  php
content-disposition
49629| [18:38:55] 65.89.43.125:4013 -> a.b.c.34:80  php
content-disposition
49628| [18:38:54] 65.89.43.125:4012 -> a.b.c.34:80  php
content-disposition
49627| [18:38:54] 65.89.43.125:4011 -> a.b.c.34:80  php
content-disposition
49626| [18:38:54] 65.89.43.125:4010 -> a.b.c.34:80  php
content-disposition
49625| [18:38:54] 65.89.43.125:4009 -> a.b.c.34:80  php
content-disposition
49624| [18:38:53] 65.89.43.125:4008 -> a.b.c.34:80  php
content-disposition
49623| [18:38:53] 65.89.43.125:4007 -> a.b.c.34:80  php
content-disposition
49622| [18:38:53] 65.89.43.125:4006 -> a.b.c.34:80  php
content-disposition
49621| [18:38:53] 65.89.43.125:4004 -> a.b.c.34:80  php
content-disposition
49620| [18:38:52] 65.89.43.125:4003 -> a.b.c.34:80  php
content-disposition
49619| [18:38:50] 65.89.43.125:3989 -> a.b.c.33:80  php
content-disposition
49618| [18:38:50] 65.89.43.125:3989 -> a.b.c.33:80  SHELLCODE x86 EB OC
NOOP
49617| [18:38:50] 65.89.43.125:3989 -> a.b.c.33:80  SHELLCODE x86 EB OC
NOOP
49616| [18:38:50] 65.89.43.125:3989 -> a.b.c.33:80  SHELLCODE x86 EB OC
NOOP
49615| [18:38:50] 65.89.43.125:3989 -> a.b.c.33:80  php
content-disposition
49614| [18:38:50] 65.89.43.125:3975 -> a.b.c.33:80  php
content-disposition
49613| [18:38:49] 65.89.43.125:3974 -> a.b.c.33:80  php
content-disposition
49612| [18:38:49] 65.89.43.125:3973 -> a.b.c.33:80  php
content-disposition
49611| [18:38:49] 65.89.43.125:3972 -> a.b.c.33:80  php
content-disposition
49610| [18:38:48] 65.89.43.125:3971 -> a.b.c.33:80  php
content-disposition
49609| [18:38:48] 65.89.43.125:3970 -> a.b.c.33:80  php
content-disposition
49608| [18:38:48] 65.89.43.125:3969 -> a.b.c.33:80  php
content-disposition
49607| [18:38:48] 65.89.43.125:3965 -> a.b.c.33:80  php
content-disposition
49606| [18:38:47] 65.89.43.125:3961 -> a.b.c.33:80  php
content-disposition
49605| [18:38:47] 65.89.43.125:3957 -> a.b.c.33:80  php
content-disposition

here he stopped, there are a few web servers left in our /24, so i put up
tcpdump maybe i'll get a few complete traces...
The client machine tells me the following:

> telnet 65.89.43.125 80
Trying 65.89.43.125...
Connected to 65.89.43.125.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 19 Jun 2002 19:34:10 GMT
Server: Apache/1.3.14 (Unix) PHP/4.0.4pl1
Connection: close
Content-Type: text/html

so it seems vulnerable...

i've never seen this in the wild until right now... has anyone seen large
(or any) activity regarding the php file upload bug ?
Or am i only overly nervous because of the recent apache / openssh
problems ?


Greetings,

Roland
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org

iD8DBQE9GKLqTyqg9LmJhHMRAhX9AKDUjaqeroZ+GPy0FRC0TUrb4q+9aACfR/r+
g+hfktzcIV9aLGGnbBp0wcU=
=ti8P
-----END PGP SIGNATURE-----

APPLICATION/X-GUNZIP attachment: acid-report.gz

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Next message: Don Weber: "RE: [incidents] Re: backdoor"
Previous message: Hugo van der Kooij: "Re: backdoor"
Next in thread: Stefan Esser: "RE: PHP content-disposition vuln"
Reply: Stefan Esser: "RE: PHP content-disposition vuln"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 08:35:58 PDT