Over the past 7 days we have encountered 3216 events for ET WEB_SERVER Likely Malicious Request for /proc/self/environ. This signature represents a phase of a remote file inclusion attempt in which it tries to obtain root level access by using the last PID used by the servers creation of the /proc directories. After the /proc/self directory is created. The attacker could then use this directory to execute files locally and spawn processes to download files remotely.

Let’s take a look at some examples of this in action.

1. http://testdomain.com/index.php?page=/proc/self/environ <== Error
2. http://testdomain.com/index.php?page=/proc/self/environ <== Error
3. http://testdomain.com/index.php?page=/proc/self/environ <== Error
4. http://testdomain.com/index.php?page=/proc/self/environ <== Error
5. http://testdomain.com/index.php?page=/proc/self/environ <== Error
6. http://testdomain.com/index.php?page=/proc/self/environ <== Error
7. http://testdomain.com/index.php?page=/proc/self/environ == Access

As you can see after several attempts the attacker has found how far to traverse directories in order to reach the actual /proc/self/environ folder. Once known an attacker can then upload malicious code to this directory for local execution. As a workaround you can remount) /proc with the nosuid flag. That flag will prevent the setuid/setgid bits from having an effect on that file system. This workaround is the best practice because it secures it from this particular type of vulnerability. Some distributions have tightened these kinds of restrictions and help their users avoid these kinds of problems before they happen.

References:
http://www.pinoyhackers.com/showthread.php/1344-LFI-Local-File-Inclusion-Tutorial-(proc-self- environ)
http://lwn.net/Articles/191954/

Tags: , , ,