Im always trying to find new ways to stop php and other type shells from being executed on the server. Most of the time I will upload them myself and see how they tick and then add the proper mod security rules to block the strings if my got root rules currently dont have them.
Well the other day my friend showed me this on my server, a cpanel server as a regular user, no shell access or anything. Apache was running as suexec.
And when you go in this it is just like logging into an ssh terminal as a user with full exec and compiling permissions. Plus you can download and write to any folder in the home directory.
The only way I found to prevent it from downloading to the server was running Apache without suexec and running cgi as nobody instead. I could not figure out how to block this with mod security because it doesnt use like the URL; strings, its just like an executable being launched.
If anyone is interested in these type things and ways to keep things secure on the user level its worth checking out.
You can download it at http://www.rohitab.com/cgiscripts/cgitelnet.html
If anyone knows any mod security rules to stop these, please share. But to try it out, upload this to the cgi bin of a user with any level of access, even no ssh access and you will see what I mean.
Someone could run local root exploits or run spam and attacks from your server with these.
For the security minded and people who like to test this is worth looking at.
lol I do have an understanding of the file system and unix.
I have legitimate shell users on my box so I cant go chmodding binaries.
I knew Id get some smartelleck reply from this. Oh well, I was just trying to point out to people with cpanel servers that this can be a problem if someone used this on a user account on their server.
But yeah, have mod security scanning post data, all that. I will most likely compile apache back with suexec so I can track spam and whatnot. So Ill figure out something to block it soon. I dont have a problem with much things like this but its always good to be prepared.
My 2 cents: it's not the CGI shell that's dangerous. What's dangerous is the vulnerability that gets exploited that allows an unauthorized person to write to the disk in the first place. cgitelnet is one of infinite applications that could be used to aid an attacker. As such I don't see the point of placing any more relevance on it than any other command shell. It's not that I don't think rules shouldn't be created for it (which would be done easily enough by viewing the code, running the code while sniffing traffic and tailing log files, etc), but I think modsec's powerful functionality is heavily undermined by promoting the idea that the bigger the ruleset you have, the more secure you are. I know that's not what was said here word for word, but I feel that is the idea that it promotes.
When focus turns to detecting and eliminating threats first, rather than creating signature based rulesets (which are all flawed by their very nature) that are application specific, then I think true progress will be made towards a more secure server environment in regards to attacks over http.
I agree totally that the flaw which allows an attacker to upload such a thnig should be stopped first but when you run a hosting server you cant be assured that all of your customers are running secure apps. Also the thing of my concern is that clients dont upload and use such a tool.
An attacker uploading and using it was probably half my conern,. The other half being clients. Sure you may say, Well you shouldnt have such clients. True but you can screen everyone. I know ive had some customers before I belive bought a small hosting plan just to try and hack the server. Not too long ago some guy bought a $3.75 plan and asked if he could just use a subdomain of one of my domains,. That should have been a red flag there because each time someone has asked such a thing its always been a spammer or someone like this.
But anyway they guy gets on the server, first thing he does is upload different php shells, totally filled my audit log up. So he obviously bought it just to try and hack me.
And then you will have some customers who wanna try and run processes with such tools as the cgi telnet. Its not attackers uploading it Im worried about rather then a customer or someone with ftp access doing it. Really not that big of a worry but I was suprised it ran with such high permissions and bypassed any ssh setting in cpanel.