[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030813083350.GE21446@felinemenace.org>
From: andrewg at felinemenace.org (andrewg@...inemenace.org)
Subject: PHP dlopen()
_,'| _.-''``-...___..--';)
/_ \'. __..-' , ,--...--'''
<\ .`--''' ` /'
`-';' ; ; ;
__...--'' ___...--_..' .;.'
fL (,__....----''' (,..--'' felinemenace.org
Program: PHP
Impact: Users who can supply scripts to be parsed can cause apache to execute
arbitary code.
Discovered: Andrew Griffiths
Writeup and exploits: Andrew Griffiths
1) Background
PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
For more information, see http://www.php.net
2) Description
If you can use the dlopen() function in PHP, you can do many
interesting things to the apache (or alternate web server's) process
memory.
The attached examples dump the process memory to /tmp (works for both
apache 1.x and apache 2.x), and the other one simulates a defacement
(works for apache 1.x, due to return code handling, it doesn't work
for apache 2.x).
3) Notes
[andrewg@...inemenace public_html]$ stat memdump.c
File: "memdump.c"
Size: 1357 Blocks: 4 IO Block: 1024 Regular File
Device: be18h/48664d Inode: 58662939 Links: 1
Access: (0664/-rw-rw-r--) Uid: ( 1002/ andrewg) Gid: ( 1002/ andrewg) Access: Thu May 29 01:21:09 2003
Modify: Thu May 29 01:21:10 2003
Change: Thu May 29 01:21:10 2003
gcc -c -o memdump.o memdump.c
ld -shared -o /tmp/libby.so memdump.o
4) Mitigation
You can disable the dlopen function by utilising the disable_function
parameter in the php.ini configuration file, or alternatively, enable
safe_mode in the php.ini configuration file.
5) Exploits
http://felinemenace.org/exploits/fm-php-memdump.c
http://felinemenace.org/exploits/fm-php-deface.c
Here is a challenge/interesting idea for some people to think about.
1) Write a shellcode (and a .so) that can "steal" an SSL private key,
from an application that utilitizes OpenSSL, like, say, stunnel or
programs like Apache :)
2) Could you hook the private key input function from apache, and have
it survive across apachectl restart?
Powered by blists - more mailing lists