lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: andrewg at felinemenace.org (andrewg@...inemenace.org)
Subject: PHP dlopen() -> Fun with apache (and other

                     _,'|             _.-''``-...___..--';)
                     /_ \'.      __..-' ,      ,--...--'''
                    <\    .`--'''       `     /'
                    `-';'               ;   ; ;
               __...--''     ___...--_..'  .;.'
           fL (,__....----'''       (,..--''  felinemenace.org

Program: PHP
Impact: Users who can supply scripts to be parsed can cause apache to execute
        arbitary code.
Discovered: Andrew Griffiths
Writeup and exploits: Andrew Griffiths

1) Background

        PHP is a widely-used general-purpose scripting language that is
        especially suited for Web development and can be embedded into HTML.

        For more information, see http://www.php.net

2) Description

        If you can use the dlopen() function in PHP, you can do many
        interesting things to the apache (or alternate web server's) process
        memory.

        The attached examples dump the process memory to /tmp (works for both
        apache 1.x and apache 2.x), and the other one simulates a defacement
        (works for apache 1.x, due to return code handling, it doesn't work
        for apache 2.x).

3) Notes

        [andrewg@...inemenace public_html]$ stat memdump.c
        File: "memdump.c"
        Size: 1357            Blocks: 4          IO Block: 1024   Regular File
        Device: be18h/48664d    Inode: 58662939    Links: 1
        Access: (0664/-rw-rw-r--)  Uid: ( 1002/ andrewg)   Gid: ( 1002/ andrewg)        Access: Thu May 29 01:21:09 2003
        Modify: Thu May 29 01:21:10 2003
        Change: Thu May 29 01:21:10 2003

        gcc -c -o memdump.o memdump.c
        ld -shared -o /tmp/libby.so memdump.o

	Erm, originally I sent this encrypted. I lay the blame @ mutt and not
	giving me an option of not sending it encrypted, once I accidently 
	hit y to send and not p to change the option.

4) Mitigation

        You can disable the dlopen function by utilising the disable_function
        parameter in the php.ini configuration file, or alternatively, enable
        safe_mode in the php.ini configuration file.

5) Exploits

        http://felinemenace.org/exploits/fm-php-memdump.c
        http://felinemenace.org/exploits/fm-php-deface.c

        Here is a challenge/interesting idea for some people to think about.

        1) Write a shellcode (and a .so) that can "steal" an SSL private key,
        from an application that utilitizes OpenSSL, like, say, stunnel or
        programs like Apache :)

        2) Could you hook the private key input function from apache, and have
        it survive across apachectl restart?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ