http://www.ush.it/2009/07/26/php-filesystem-attack-vectors-take-two/

Did you enjoyed our previous "PHP filesystem attack vectors" research? This is the second part and continuation of that paper and highlight new ways to evade filters using some path normalization issues. Have a nice reading!

PHP filesystem attack vectors - Take Two

 Name              PHP filesystem attack vectors - Take Two

 Systems Affected  PHP and PHP+Suhosin

 Vendor            http://www.php.net/

 Advisory          http://www_ush_it/team/ush/hack-phpfs/phpfs_mad_2.txt

 Authors           Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)

                   Antonio "s4tan" Parata (s4tan AT ush DOT it)

                   Francesco "ascii" Ongaro (ascii AT ush DOT it)

                   Alessandro "jekil" Tanasi (alessandro AT tanasi DOT it)

 Date              20090725

I)    Introduction

II)   PHP arbitrary Local File Inclusion testing

III)  PHP arbitrary Local File Inclusion results

IV)   PHP arbitrary File Open testing

V)    PHP arbitrary File Open results

VI)   PHP arbitrary Remote File Upload testing

VII)  PHP arbitrary Remote File Upload results

VIII) Conclusions

IX)   References

I) Introduction

This is the second part and continuation of our previous "PHP filesystem

attack vectors" [1] research.

Working with s4tan and ascii on the "SugarCRM 5.2.0e Remote Code

Execution" advisory [2] we noticed a strange behaviour on Windows OS:

trying to upload a file named "a.php." results in just "a.php".

Analyzing this we noticed that every time an application, or manually,

was trying to open or save a file with one ore more dots at the end,

Windows was not denying the operation, but it was removing the dots in a

transparent way.

Mindful readers probably have already spotted the issue.

We wanted to take our time for a deeper investigation about what

normalization issues were available and how to take advantage of them

in order to exploit arbitrary local file inclusion/handling and uploads

functionalities (not only on Windows OS but also on GNU/Linux and *BSD).

Below you can find the sources of two simple "academic" fuzzers, later

results are discussed and finally POCs and conclusions are proposed.

II) PHP arbitrary Local File Inclusion testing

This tests include(), include_once(), require(), require_once() and

similiar functions.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

alfi_fuzzer.php:

<?php

error_reporting(0);

$InterestingFile = "test_alfi.php";

$fh = @fopen($InterestingFile, 'w+');

fwrite($fh, "<?php ?>");

fclose($fh);

for ($i = 1; $i < 256; $i++) {

 $chri = chr($i);

 for ($j = 0; $j < 256; $j++) {

  $chrj = chr($j);

  for ($k = 0; $k < 256; $k++) {

    $chrk = chr($k);

    if($chri.$chrj.$chrk == '://') continue;

    if ($j == 0) $FuzzyFile = $InterestingFile.$chri;

    else if ($k == 0) $FuzzyFile = $InterestingFile.$chri.$chrj;

    else $FuzzyFile = $InterestingFile.$chri.$chrj.$chrk;

    if(include($FuzzyFile)) {

        print($i." ".$j." ".$k." [".$FuzzyFile."]\n");

        fclose($fh);

    }

    if($j == 0) break;

  }

 }

}

unlink($InterestingFile);

?>

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Note: This code and the one that will be presented in section IV only

makes use of chars from the ASCII extended table (256 chars) to limit the

combinations because our intent was to test not only a malicious ending

char but a whole ending "extension" of 3 bytes.

A better fuzzer would include UTF-8. In the test we also do not

consider \x00, because this vector is already known [3, 4].

III) PHP arbitrary Local File Inclusion results

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.2.10-pl0-Gentoo

PHPFS_MAD2 $ php alfi_fuzzer.php

47 46 46 [test_alfi.php/.]

47 47 47 [test_alfi.php//.]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.2.10-pl0-Gentoo + Suhosin-Patch 0.9.27

PHPFS_MAD2 $ php alfi_fuzzer.php

[ NO RESULTS ]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.2.10-FreeBSD 7.3 + Suhosin-Patch 0.9.7

PHPFS_MAD2 $ php alfi_fuzzer.php

[ NO RESULTS ]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-

PHP 5.3.0 Windows XP (WampServer 2.0i install)

C:\PHPFS_MAD2> php alfi_fuzzer.php

! Valid chars are: \x20 ( ), \x22 ("), \x2E (.), \x3C (<), \x3E (>)

! Valid strings are all combinations of the above chars.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.3.0 Windows Server 2008 (WampServer 2.0i install)

C:\PHPFS_MAD2> php alfi_fuzzer.php

! Valid chars are: \x20 ( ), \x22 ("), \x2E (.), \x3C (<), \x3E (>)

! Valid strings are all combinations of the above chars.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

IV) PHP arbitrary File Open testing

This tests fopen() and similiar functions.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

afo_fuzzer.php:

<?php

error_reporting(0);

$MaliciousFile = "test_afo.php";

for ($i = 1; $i < 256; $i++) {

 $chri = chr($i);

 for ($j = 0; $j < 256; $j++) {

  $chrj = chr($j);

  for ($k = 0; $k < 256; $k++) {

    if ($j == 0) $FuzzyFile = $MaliciousFile.$chri;

    else if ($k == 0) $FuzzyFile = $MaliciousFile.$chri.$chrj;

    else $FuzzyFile = $MaliciousFile.$chri.$chrj.chr($k);

    $fh = @fopen($FuzzyFile, 'w+');

    if ($fh != FALSE) {

        fwrite($fh, $FuzzyFile);

        fclose($fh);

        if (file_exists($MaliciousFile)) {

            if ($j == 0) print($i." ");

            else if ($k == 0) print($i." ".$j." ");

            else $FuzzyFile = print($i." ".$j." ".$k." ");

            print("[".file_get_contents($MaliciousFile)."]\n");

            unlink($MaliciousFile);

        } else

            unlink($FuzzyFile);

    }

    if($j == 0)

        break;

  }

 }

}

?>

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

V) PHP arbitrary File Open Fuzzer results

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.2.10-pl0-Gentoo

PHPFS_MAD2 $ php afo_fuzzer.php

47 46 [test_afo.php/.]

47 47 46 [test_afo.php//.]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.2.10-pl0-Gentoo + Suhosin-Patch 0.9.27

PHPFS_MAD2 $ php afo_fuzzer.php

[ NO RESULTS ]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-

PHP 5.2.10-FreeBSD 7.3 + Suhosin-Patch 0.9.7

PHPFS_MAD2 $ php afo_fuzzer.php

47 46 [test_afo.php/.]

47 47 46 [test_afo.php//.]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-

PHP 5.3.0 Windows XP (WampServer 2.0i install)

C:\PHPFS_MAD2> php afo_fuzzer.php

! Valid chars are: \x2E (.), \x2F (/), \x5C (\)

! Valid strings are all combinations of the above chars.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.3.0 Windows Server 2008 (WampServer 2.0i install)

C:\PHPFS_MAD2> php afo_fuzzer.php

! Valid chars are: \x2E (.), \x2F (/), \x5C (\)

! Valid strings are all combinations of the above chars.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

VI) PHP arbitrary Remote File Upload testing

This tests move_uploaded_file() and similiar functions.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

upload.php:

<?php

error_reporting(0);

$MaliciousFile = "evil.php";

if (isset($_GET['fuzzy'])) {

  $FuzzyDestination = $MaliciousFile.$_GET['fuzzy'];

  move_uploaded_file($_FILES['userfile']['tmp_name'], $FuzzyDestination);

  printf($FuzzyDestination);

  if (file_exists($MaliciousFile)) {

          echo "SUCCESS";

          unlink($MaliciousFile);

          exit();

  } else {

          unlink($FuzzyDestination);

  }

}

echo "FAIL";

?>

arfu_fuzzer.sh:

#!/bin/bash

touch "uploadtest.txt"

url="http://127.0.0.1/uploads/upload.php?fuzzy="

for i in {1..255}; do

 xi="%`printf %02x $i`"

 for j in {0..255}; do

  xj="%`printf %02x $j`"

  for k in {0..255}; do

   xk="%`printf %02x $k`"

   ext="$xi$xj$xk"

   [ $k -eq 0 ] && ext="$xi$xj"

   [ $k -eq 0 ] && [ $j -eq 0 ] && ext="$xi"

   response=`curl -kis -F "userfile=@uploadtest.txt;" $url$ext | grep

SUCCESS | wc -l`

   if [ "$response" == "1" ]; then

     echo "Found: $i $j $k -> ($ext)";

   fi

   [ $j -eq 0 ] && break

  done

 done

done

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

VII) PHP arbitrary Remote File Upload results

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.2.10-pl0-Gentoo

PHPFS_MAD2 $ sh test_arfu.sh

FOUND: 47 0 0 -> (/)

FOUND: 47 46 0 -> (/.)

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.2.10-pl0-Gentoo + Suhosin-Patch 0.9.27

PHPFS_MAD2 $ sh test_arfu.sh

FOUND: 47 0 0 -> (/)

FOUND: 47 46 0 -> (/.)

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-

PHP 5.2.10-FreeBSD 7.3 + Suhosin-Patch 0.9.7

PHPFS_MAD2 $ sh test_arfu.sh

FOUND: 47 46 0 -> (/.)

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-

PHP 5.3.0 Windows XP (WampServer 2.0i install)

PHPFS_MAD2 $ sh test_arfu.sh

[ All the combinations of (space), ., /, \ are valid ones. ]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.3.0 Windows Server 2008 (WampServer 2.0i install)

PHPFS_MAD2 $ sh test_arfu.sh

[ All the combinations of (space), ., /, \ are valid ones. ]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

VIII) Conclusions

We found that it's possible to take advantage of filename normalization

routines in order to bypass common web application security routines,

detailed below:

- On GNU/Linux both (include|require)(_once)? functions will convert

  "foo.php" followed by one or more sequences of \x2F (/) and \x2E (.)

  back to "foo.php".

  This does not work if Suhosin patch is applied.

- On GNU/Linux the fopen function will convert "foo.php" followed by one

  or more sequences of \x2F (/) and \x2E (.) back to "foo.php".

  This does not work if Suhosin patch is applied.

- On GNU/Linux move_uploaded_file function will convert "foo.php"

  followed by one or more sequences of \x2F (/) and \x2E (.) back to

  "foo.php".

  This does work anyway *also* if Suhosin patch is applied.

- On FreeBSD the fopen function will convert "foo.php" followed by one

  or more sequences of \x2F (/) and \x2E (.) back to "foo.php".

  This does work anyway *also* if Suhosin patch is applied.

  Suhosin is shipped in the the default install.

- On FreeBSD the move_uploaded_file function will convert "foo.php"

  followed by one or more sequences of \x2F (/) and \x2E (.) back to

  "foo.php".

  This does work anyway *also* if Suhosin patch is applied.

  Suhosin is shipped in the the default install.

- On Windows OS both (include|require)(_once)? functions will convert

  "foo.php" followed by one or more of the chars \x20 ( ), \x22 ("),

  \x2E (.), \x3C (<), \x3E (>) back to "foo.php".

- On Windows OS the fopen function will convert "foo.php" followed by

  one or more of the chars \x2E (.), \x2F (/), \x5C (\) back to

  "foo.php".

- On Windows OS move_uploaded_file function will convert "foo.php"

  followed by one or more of the chars \x2E (.), \x2F (/), \x5C (\)

  back to "foo.php".

  We have observed that some particular strings like "foo.php./" or

  "foo.php.\" force Windows to create a file called "foo.php.". It

  seems that Windows' functions do not contemplate the existence of

  a file with dots at the end (perhaps Windows hackers can better

  comment on this).

  All functions on that file will fail their attempt, so that it's not

  possible to easily delete or rename that file (one has to do del *

  or similiar).

IX) References

[1] http://www_ush_it/2009/02/08/php-filesystem-attack-vectors/

    http://www_ush_it/team/ush/hack-phpfs/phpfs_mad.txt

[2] http://www_ush_it/team/ush/hack-sugarcrm_520e/adv.txt

[3] http://www.securiteam.com/securitynews/5FP0C0KJPQ.html

[4] http://ha.ckers.org/blog/20060914/php-vulnerable-to-null-byte-injection/

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Credits (Out of band)

This article has been bought to you by the ush.it team. Giovanni

"evilaliv3" Pellerano, Antonio "s4tan" Parata and Francesco "ascii"

Ongaro are the ones who spent most hours on it with the precious help

of Alessandro "Jekil" Tanasi, Florin "Slippery" Iamandi and many other

friends.

Giovanni "evilaliv3" Pellerano

web site: http://www_ush_it/, http://www.evilaliv3.org/

mail: evilaliv3 AT ush DOT it

Antonio "s4tan" Parata

web site: http://www_ush_it/

mail: s4tan AT ush DOT it

Francesco "ascii" Ongaro

web site: http://www_ush_it/

mail: ascii AT ush DOT it

Alessandro "jekil" Tanasi

web site: http://www.tanasi.it/

mail: alessandro AT tanasi DOT it

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Legal Notices

Copyright (c) 2009 Francesco "ascii" Ongaro

Permission is granted for the redistribution of this alert

electronically. It may not be edited in any way without mine express

written consent. If you wish to reprint the whole or any

part of this alert in any other medium other than electronically,

please email me for permission.

Disclaimer: The information in the article is believed to be accurate

at the time of publishing based on currently available information. Use

of the information constitutes acceptance for use in an AS IS condition.

There are no warranties with regard to this information. Neither the

author nor the publisher accepts any liability for any direct, indirect,

or consequential loss or damage arising from use of, or reliance on,

this information.

PHP filesystem attack vectors - Take Two的更多相关文章

  1. PHP filesystem attack vectors

    http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/ On Apr 07, 2008 I spoke with Kuza55 and ...

  2. XML External Entity attack

    解析外部xml给本地带来的安全隐患. https://en.wikipedia.org/wiki/XML_external_entity_attack An XML External Entity ( ...

  3. (转) [it-ebooks]电子书列表

    [it-ebooks]电子书列表   [2014]: Learning Objective-C by Developing iPhone Games || Leverage Xcode and Obj ...

  4. PatentTips - Hardware virtualization such as separation kernel hypervisors

    BACKGROUND 1. Field Innovations herein pertain to computer virtualization, computer security and/or ...

  5. A Study of WebRTC Security

    转自:http://webrtc-security.github.io/ A Study of WebRTC Security Abstract Web Real-Time Communication ...

  6. Java开源框架推荐(全)

    Build Tool Tools which handle the buildcycle of an application. Apache Maven - Declarative build and ...

  7. ASP.NET 4.0 potentially dangerous Request.Form value was detected

    A few days ago, while working on an ASP.NET 4.0 Web project, I got an issue. The issue was, when use ...

  8. backtrack5渗透 笔记

    目录        1.信息收集        2.扫描工具        3.漏洞发现        4.社会工程学工具        5.运用层攻击msf        6.局域网攻击       ...

  9. Metasploit 笔记

    目录一.名词解释···································································· 3二.msf基础··············· ...

随机推荐

  1. $(function(){})与window.onload的区别

    不太一样window.onload是在页面所有的元素都加载完成后才触发$(function(){})是在页面的dom结构加载完毕后就触发 dom里的内容不一定都已经加载完成比如说一个页面有好多图片 而 ...

  2. 【转】使用jquery animate创建平滑滚动效果

    这篇文章主要介绍了使用jquery animate创建平滑滚动效果,效果可以滚动到顶部.到底部或页面中指定地方,生要的是非常平滑,很舒服,需要的朋友可以参考下 滚动到顶部: $('.scroll_to ...

  3. LoadRunner Pacing设置(转)

    转载的,备读 在 LoadRunner 的运行场景中,有一个不大起眼的设置,可能经常会被很多人忽略,它就是Pacing .具体设置方式为: Run-Time settings à General à ...

  4. UVA 12232 Exclusive-OR(并查集+思想)

    题意:给你n个数,接着三种操作: I p v :告诉你 Xp = v I p q v :告诉你 Xp ^ Xq = v Q k p1 p2 … pk:问你k个数连续异或的结果 注意前两类操作可能会出现 ...

  5. 查看mysql的安装信息

    查看mysql的安装信息: #ps -ef | grep mysql usr/bin/mysql 是指:mysql的运行路径 var/lib/mysql 是指:mysql数据库文件的存放路径 usr/ ...

  6. python图像卷积

    import cv2import numpy as np #filier 2Dsavepath = "E:\\"image = cv2.imread('E:\\me.jpg');c ...

  7. 自定义 ActionBar 标题与菜单中的文字样式

    自定义标题文字样式 标题样式是 ActionBar 样式的一部分,所以要先定义 ActionBar 的样式 <style name="AppTheme" parent=&qu ...

  8. iOS之04-方法的声明和实现

    本次重点学习和理解OC对象方法的声明和定义 代码: /* 计算器类 方法: 1> 返回 π 2> 计算某个整数的平方 3> 计算两个整数的和 */ #import <Found ...

  9. 到底AR初创公司Magic Leap是不是骗子?我看未必

    AR技术和VR技术在今年的发展可谓是日新月异,眼看年末已至,不成想却出现了大新闻.最炙手可热的神秘AR初创公司Magic Leap被硅谷付费媒体The Information(付费读者大多为硅谷资深投 ...

  10. 如何终止java线程

    http://blog.csdn.net/anhuidelinger/article/details/11746365 终止线程的三种方法 有三种方法可以使终止线程. 1.  使用退出标志,使线程正常 ...