[Full-Disclosure] PHP dlopen() -> Fun with apache (and other
andrewg_at_felinemenace.org
Date: 08/13/03
- Previous message: Paul J.: "RE: [Full-Disclosure] Blaster: will it spread without tftp?"
- Next in thread: Stefan Esser: "Re: [Full-Disclosure] PHP dlopen() -> Fun with apache (and other"
- Reply: Stefan Esser: "Re: [Full-Disclosure] PHP dlopen() -> Fun with apache (and other"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Wed, 13 Aug 2003 03:39:28 -0700
_,'| _.-''``-...___..--';)
/_ \'. __..-' , ,--...--'''
<\ .`--''' ` /'
`-';' ; ; ;
__...--'' ___...--_..' .;.'
fL (,__....----''' (,..--'' felinemenace.org
Program: PHP
Impact: Users who can supply scripts to be parsed can cause apache to execute
arbitary code.
Discovered: Andrew Griffiths
Writeup and exploits: Andrew Griffiths
1) Background
PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
For more information, see http://www.php.net
2) Description
If you can use the dlopen() function in PHP, you can do many
interesting things to the apache (or alternate web server's) process
memory.
The attached examples dump the process memory to /tmp (works for both
apache 1.x and apache 2.x), and the other one simulates a defacement
(works for apache 1.x, due to return code handling, it doesn't work
for apache 2.x).
3) Notes
[andrewg@felinemenace public_html]$ stat memdump.c
File: "memdump.c"
Size: 1357 Blocks: 4 IO Block: 1024 Regular File
Device: be18h/48664d Inode: 58662939 Links: 1
Access: (0664/-rw-rw-r--) Uid: ( 1002/ andrewg) Gid: ( 1002/ andrewg) Access: Thu May 29 01:21:09 2003
Modify: Thu May 29 01:21:10 2003
Change: Thu May 29 01:21:10 2003
gcc -c -o memdump.o memdump.c
ld -shared -o /tmp/libby.so memdump.o
Erm, originally I sent this encrypted. I lay the blame @ mutt and not
giving me an option of not sending it encrypted, once I accidently
hit y to send and not p to change the option.
4) Mitigation
You can disable the dlopen function by utilising the disable_function
parameter in the php.ini configuration file, or alternatively, enable
safe_mode in the php.ini configuration file.
5) Exploits
http://felinemenace.org/exploits/fm-php-memdump.c
http://felinemenace.org/exploits/fm-php-deface.c
Here is a challenge/interesting idea for some people to think about.
1) Write a shellcode (and a .so) that can "steal" an SSL private key,
from an application that utilitizes OpenSSL, like, say, stunnel or
programs like Apache :)
2) Could you hook the private key input function from apache, and have
it survive across apachectl restart?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Paul J.: "RE: [Full-Disclosure] Blaster: will it spread without tftp?"
- Next in thread: Stefan Esser: "Re: [Full-Disclosure] PHP dlopen() -> Fun with apache (and other"
- Reply: Stefan Esser: "Re: [Full-Disclosure] PHP dlopen() -> Fun with apache (and other"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
