[Full-disclosure] Advisory 13/2005: Remote code execution in SysCP

• Previous message: C0BR4: "[Full-disclosure] perfect security architecture (network)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 08 Aug 2005 12:35:46 +0200
To: full-disclosure@lists.grok.org.uk

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                         Hardened PHP Project
                         www.hardened-php.net

                       -= Security Advisory =-

      Advisory: Remote code execution in SysCP
  Release Date: 2005/08/09
Last Modified: 2005/08/08
        Author: Christopher Kunz <christopher.kunz@hardened-php.net>
   Application: SysCP 1.2.10 and prior
      Severity: Arbitrary remote code execution
          Risk: Critical
Vendor Status: Vendor has released an updated version
    References: http://www.hardened-php.net/advisory_132005.64.html

Overview:

    SysCP is a server management application, similar to the popular Confixx and
    CPanel products - but open source. It is deployed by several large german
    hosting and co-location companies and can be used for complete server admin-
    istration, including web and database, FTP and mail servers, reseller access
    and more.
    With the PHP configuration flag "register_globals On" (which is still the
    case for a large installation base), a number of variables can be injected,
    leading to the execution of arbitrary remote code, which can also be inclu-
    ded from a remote server. This can lead to backdooring of the server in
    question.
    SysCP needs the MySQL root password to perform some of its functionality, so
    attackers can very easily obtain this critical information from SysCP's con-
    figuration file.

Details:

    During a rough scan through the SysCP source code, we found two possibili-
    ties to inject global variables via GET - experience shows that probably
    more occurances exist.
    The first of these holes allows direct inclusion of remote PHP code with
    just one GET parameter. By setting the language to any value not existant
    in the SysCP installation, inclusion of a language file can be forced -
    there are no checks if the included file was actually user-supplied.
    The second vulnerability allows passing curly brackets to SysCP's internal
    template engine which then eval()s this expression. A string like
    {${phpinfo();}} would then be evaluated to the phpinfo() function, which
    would subsequently be executed.

Proof of Concept:

    Due to the sensitive nature of the vulnerability, the Hardened PHP Project
    is not going to release a proof of concept to the public.

Disclosure Timeline:

    18. July 2005 - Initial vendor contact.
    23. July 2005 - PoC disclosed to vendor.
    04. August 2005 - Vendor has released updated version.
    09. August 2005 - public disclosure

Recommendation:

    All of these vulnerabilities could have been mitigated by using our
    Hardening Patch for PHP [1], which includes protection against URL includes
    as well as eval() function protection.
    Apart from that, the vendor has released an updated version that add-
    resses the issue [2].

Plug:

    You can discuss this and other vulnerabilities in our forum at
    http://forum.hardened-php.net/ - an up-to-date list of advisories can be
    found at http://www.hardened-php.net/.

Links:

    [1] http://www.hardened-php.net/downloads.13.html
    [2] http://www.syscp.de/forum/viewtopic.php?t=1772

GPG-Key:

    http://www.hardened-php.net/hardened-php-signature-key.asc

    pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
    Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

Copyright 2005 Christopher Kunz / Hardened PHP Project. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFC9zaIRDkUzAqGSqERArfZAKDXgmFdPQSONdLNXFNhMqApTYqUIwCgxzjb
T/i48IH5hId5eOLuXvWaVY0=
=KSeh
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

• Previous message: C0BR4: "[Full-disclosure] perfect security architecture (network)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Advisory 13/2005: Remote code execution in SysCP ... Application: SysCP 1.2.10 and prior ... Vendor Status: Vendor has released an updated version ... hosting and co-location companies and can be used for complete server admin- ... Due to the sensitive nature of the vulnerability, ... (Bugtraq) [UNIX] SysCP Code Execution ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... attackers can inject code into SysCP and cause ... Disclosure Timeline: ... July 2005 - PoC disclosed to vendor ... (Securiteam) [Full-Disclosure] its all about timing ... what the vendor does it with. ... >Why do people look for vulnerabilities? ... >- They publish vuln info to make themselves noticed ... Full Disclosure issue must take into account the ... (Full-Disclosure) [Full-Disclosure] Wendys Drive-up Order System Information Disclosure ... Wendy's Drive-up Order System Information Disclosure ... Vendor: Wendy's ... this attack was carried out against mi2g ... (Full-Disclosure) Re: Winamp - Buffer Overflow In IN_CDDA.dll ... >disturbing when a vendor acts on disclosed information but gives no ... >winamp version 5.05. ... >When winamp opens the malformed playlist file, a first exception will ... >They may also be privileged or otherwise protected from disclosure. ... (Bugtraq)