lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030813083350.GE21446@felinemenace.org> From: andrewg at felinemenace.org (andrewg@...inemenace.org) Subject: PHP dlopen() _,'| _.-''``-...___..--';) /_ \'. __..-' , ,--...--''' <\ .`--''' ` /' `-';' ; ; ; __...--'' ___...--_..' .;.' fL (,__....----''' (,..--'' felinemenace.org Program: PHP Impact: Users who can supply scripts to be parsed can cause apache to execute arbitary code. Discovered: Andrew Griffiths Writeup and exploits: Andrew Griffiths 1) Background PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. For more information, see http://www.php.net 2) Description If you can use the dlopen() function in PHP, you can do many interesting things to the apache (or alternate web server's) process memory. The attached examples dump the process memory to /tmp (works for both apache 1.x and apache 2.x), and the other one simulates a defacement (works for apache 1.x, due to return code handling, it doesn't work for apache 2.x). 3) Notes [andrewg@...inemenace public_html]$ stat memdump.c File: "memdump.c" Size: 1357 Blocks: 4 IO Block: 1024 Regular File Device: be18h/48664d Inode: 58662939 Links: 1 Access: (0664/-rw-rw-r--) Uid: ( 1002/ andrewg) Gid: ( 1002/ andrewg) Access: Thu May 29 01:21:09 2003 Modify: Thu May 29 01:21:10 2003 Change: Thu May 29 01:21:10 2003 gcc -c -o memdump.o memdump.c ld -shared -o /tmp/libby.so memdump.o 4) Mitigation You can disable the dlopen function by utilising the disable_function parameter in the php.ini configuration file, or alternatively, enable safe_mode in the php.ini configuration file. 5) Exploits http://felinemenace.org/exploits/fm-php-memdump.c http://felinemenace.org/exploits/fm-php-deface.c Here is a challenge/interesting idea for some people to think about. 1) Write a shellcode (and a .so) that can "steal" an SSL private key, from an application that utilitizes OpenSSL, like, say, stunnel or programs like Apache :) 2) Could you hook the private key input function from apache, and have it survive across apachectl restart?
Powered by blists - more mailing lists