The Lupper worm [LWN.net]

The Lupper worm

Posted Nov 11, 2005 21:43 UTC (Fri) by rickmoen (subscriber, #6943)
In reply to: The Lupper worm by giraffedata
Parent article: The Lupper worm

giraffedata wrote:

It's really PHP in general, not specifically XML-RPC.

Though I'm a bit down on (a lot of) PHP code and practices, the PHP-relevant vulnerability in this particular case was one in an old, poorly coded version of an add-on messaging library (PHPXMLRPC) written in PHP, that is not included with PHP itself.

The PHP XML-RPC program is just one that opens this hole.

Yes, though the correct verb would be "was" (and it's technically a library, not a program as such).

In the article, we see one other -- Awstats, and there are many more.

I see exactly three: input validation bugs in old versions of the PHP-coded third-party PHPXMLRPC library, plus input validation bugs in old versions of two Perl CGI scripts (AWstats and WebHints). I'm not aware of any Linux or *BSD that defaults to installing any of those, old versions or not.

I predict that there will be a small run of defacements (but not host compromises) of Web servers that either run those buggy CGIs exposed to the public, or run certain grotesquely overfeatured developed PHP application and never update them. My advice is, of course; Don't do that, then -- on any operating system.

Rick Moen
rick@linuxmafia.com

(Log in to post comments)

The Lupper worm

Posted Nov 12, 2005 0:29 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

I see exactly three: input validation bugs in old versions of the PHP-coded third-party PHPXMLRPC library, plus input validation bugs in old versions of two Perl CGI scripts (AWstats and WebHints)

OK; the long list I saw was just various names for the same programs. Plus a fourth: "Includer".

The Lupper worm

Posted Nov 12, 2005 20:26 UTC (Sat) by rickmoen (subscriber, #6943) [Link]

giraffedata wrote:

OK; the long list I saw was just various names for the same programs. Plus a fourth: "Includer".

Good catch. I should have paid more attention to that list of files /tmp/lupii scans for in its scrutiny of one's Web document space, and less to the details of McAfee's analysis.

"The Includer" at http:// www.smarterscripts.com/includer/ is, you'll not be surprised to hear, yet another buggy Perl CGI script ("free" but proprietary for lack of a real licence) with a really bad history of input validation bugs. Author's description: "The Includer will grab the content of any file and display it where you want with the use of a simple Javascript tag."

The Lupper worm

Posted Nov 17, 2005 8:55 UTC (Thu) by ggiunta (guest, #30983) [Link]

Sorry, but the exteremely detailed analysis of the attack misses one crucial point: the php-xmlrpc vulnerability affects the PEAR xmlrpc package too (since both libs share the same ancestry), AND pear is installed by default with most recent php distributions, be them installed from source or as rpm (afaik pear uses xml-rpc to update itself, so the xmlrpc component is p[art of the core distribution).
In fact I am quite confident in saying that most major distros shipped updates to their PEAR packages to patch that hole. Of course those packages might have been part of some 'development' or 'extras' component, not installed when 'default' installls are chosen.

The Lupper worm

Posted Nov 17, 2005 9:38 UTC (Thu) by rickmoen (subscriber, #6943) [Link]

Data point: Your assertion lacks merit as to Debian, for starters: That implementation appears to be furnished by package phpgroupware-xmlrpc, which would NOT be "installed by default with PHP". This is judging by the text of relevant Debian Security Advisories (DSAs).

Second data point: RHEL4 appears to put that library in package php-pear, likewise not "installed by default with PHP". (Fedora and Mandriva, ditto.)

Third data point: Gentoo Linux appears to put that library in package dev-php/PEAR- XML_RPC, likewise not "installed by default with PHP".

Fourth data point: I cannot find a Slackware package of any sort that includes it. Maybe you'll have better luck - or maybe it isn't packaged.

Fifth data point: Ubuntu Linux appears to put that library in package php4-pear. Comments as before.

In short, PEAR xmlrpc (like PHPXMLRPC) appears to be a library you have to go quite a ways out of your way to install, if using common distros' package regimes -- entirely without regard to the thing's presence in the upstream PEAR collection.

Disclaimer: I'm no expert on this, in part because the very idea of implementing the xml-rpc network protocol in PHP makes me distinctly queasy. But I'd still love it if I got sent a dollar in token consulting fees every time someone sends me on a research wild-goose chase. ;-)

Rick Moen
rick@linuxmafia.com

The Lupper worm

Posted Nov 21, 2005 1:01 UTC (Mon) by ggiunta (guest, #30983) [Link]

Thanks for spending your time doing all this research and posting it here.
I hope it really is of help to "the community" (even though it is posted a bit late with regards to the actual exploit details publication date, the mere fact that the 'lupper worm', having been released so recently, is making victim,s is a clear indicator that there is a great need of education for linux sysadmins).
BTW: 'going out of your way' might not be such an uncommon practice, if all you want is to have up and running in a short time such unusual web apps as message boards, blogs or cms.
(please note that I'm not trying to pass the blame in any way any onto the distro maintainers / kernel hackers. I was quite surprised too, when the exploit was revealed, to find out the sheer number of apps the lib had found its way into - and I am one of the maintainers...)