SEC-Consult SA 20051025-0 :: Snoopy Remote Code Execution Vulnerability

To: Full Disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
Subject: SEC-Consult SA 20051025-0 :: Snoopy Remote Code Execution Vulnerability
From: Bernhard Mueller <research@xxxxxxxxxxxxxxx>
Date: Tue, 25 Oct 2005 22:24:54 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla Thunderbird 1.0.7 (X11/20051022)

SEC-CONSULT Security Advisory 20051025-0
======================================================================
                  title: Snoopy Remote Code Execution Vulnerability
                program: Snoopy PHP Webclient
     vulnerable version: 1.2 and earlier
               homepage: http://snoopy.sourceforge.net
                  found: 2005-10-10
                     by: D. Fabian / SEC-CONSULT / www.sec-consult.com
======================================================================

vendor description:
---------------

Snoopy is a PHP class that simulates a web browser. It automates the
task of retrieving web page content and posting forms, for example.

Snoopy is used by various RSS parser, which are in turn used in a
whole bunch of applications like weblogs, content management systems,
and many more.


vulnerabilty overview:
---------------

Whenever an SSL protected webpage is requested with one of the many
Snoopy API calls, it calls the function _httpsrequest which takes
the URL as argument. This function in turn calls the PHP-function
exec with unchecked user-input. Using a specially crafted URL, an
attacker can supply arbitrary commands that are executed on the web
server with priviledges of the web user.

While the vulnerability can not be exploited using the Snoopy class
file itself, there may exist implementations which hand unchecked
URLs from users to snoopy.


proof of concept:
---------------

Consider the following code on a webserver:
--- code ---
<?
include "Snoopy.class.php";
$snoopy = new Snoopy;

$snoopy->fetch($_GET['url']);
echo "<PRE>\n";
print $snoopy->results;
echo "</PRE>\n";
?>
--- /code ---

Requesting this code with a manipulated URL results in execution
of arbitrary code (in this case "echo 'hello' > test.txt"). Please
consider the following url one line:

http://server/fetch.php?url=https://www.%22;+echo+'hello'+%3E+
test.txt


vulnerable versions:
---------------

It seems that version 1.2 as well as some prior versions are vulnerable
to the attack described above.

recommended fix:
---------------

Update to Snoopy version 1.2.1.


vendor status:
---------------
vendor notified: 2005-10-24
vendor response: 2005-10-24
patch available: 2005-10-24


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com
www.sec-consult.com

EOF Daniel Fabian / @2005
d.fabian at sec-consult dot com

Follow-Ups:
- Re: [Full-disclosure] SEC-Consult SA 20051025-0 :: Snoopy Remote Code Execution Vulnerability
  - From: Florian Weimer

Prev by Date: [SECURITY] [DSA 871-2] New libgda2 packages fix arbitrary code execution
Next by Date: iDEFENSE Security Advisory 10.24.05: SCO Openserver authsh 'Home' Buffer Overflow Vulnerability
Previous by thread: [SECURITY] [DSA 871-2] New libgda2 packages fix arbitrary code execution
Next by thread: Re: [Full-disclosure] SEC-Consult SA 20051025-0 :: Snoopy Remote Code Execution Vulnerability
Index(es):
- Date
- Thread