[Full-disclosure] Advisory 15/2005: PHPXMLRPC Remote PHP Code Injection Vulnerability

From: Stefan Esser (sesser_at_hardened-php.net)
Date: 08/15/05

  • Next message: Mike: "[Full-disclosure] Virus Outbreak Attacking MS05-039 WIN2K" 
    Date: Mon, 15 Aug 2005 14:40:10 +0200
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                            Hardened-PHP Project
                            www.hardened-php.net

                          -= Security Advisory =-

         Advisory: PHPXMLRPC Remote PHP Code Injection Vulnerability
     Release Date: 2005/08/15
    Last Modified: 2005/08/15
           Author: Stefan Esser [sesser@hardened-php.net]

      Application: PHPXMLRPC <= 1.1.1
         Severity: A malformed XMLRPC request can result in execution
                   of arbitrary injected PHP code
             Risk: Critical
    Vendor Status: Vendor has released an updated version
       References: http://www.hardened-php.net/advisory_152005.67.html

    Overview:

       PHPXMLRPC is the successor of Useful Inc's XML-RPC for PHP, which
       is a PHP implementation of the XML-RPC protocol.
       
       After Gulftech released their PHP code injection advisory in the
       end of June 2005 we sheduled the code for an audit from our side.
       Unfortunately we were able to find another vulnerability in the
       XML-RPC libraries that allows injection of arbitrary PHP code
       into eval() statements.
       
       Unlike the last vulnerability this is not caused by wrongly
       implemented escaping of the user input, but by an improper handling
       of XMLRPC requests and responses that are malformed in a certain
       way.

       To get rid of this and future eval() injection vulnerabilities, the
       Hardened-PHP Project has developed together with the maintainers
       of both libraries a fix that completely eliminates the use of
       eval() from the library.

    Details:

       When the library parses XMLRPC requests/repsonses, it constructs
       a string of PHP code, that is later evaluated. This means any
       failure to properly handle the construction of this string can
       result in arbitrary execution of PHP code.
       
       In late June a problem was discovered, that certain XML tags where
       using single quotes around embedded user input and single quotes
       where not escaped. This allowed a typical injection attack. While
       all these escaping problems were believed to be fixed, I was able
       to find another problems, that allows injection of arbitrary code.
       
       This new injection vulnerability is cause by not properly handling
       the situation, when certain XML tags are nested in the parsed
       document, that were never meant to be nested at all. This can be
       easily exploited in a way, that user-input is placed outside of
       string delimiters within the evaluation string, which obviously
       results in arbitrary code execution.
       
       Therefore we have added a XML tag nesting verification into the
       code and additionally removed all call to eval(). Therefore the
       resulting patch eliminates the current and the possibility for
       future eval() holes. Additionally this means from the diff
       between a vulnerable and a not vulnerable version it is not
       possible to find the position of the flaw easily.
       

    CVE Information:

       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CAN-2005-2498 to this vulnerability.
          
          
    Proof of Concept:

       The Hardened-PHP Project is not going to release an exploit for
       this vulnerability to the public.

    Disclosure Timeline:

       22. July 2005 - Contact with both library vendors established.
                         Issue is discussed and a patch that eliminates
                         the use of eval() is developed, improved and
                         tested.
       12. August 2005 - Affected applications are contacted and asked
                         for beta test of the patches.
       14. August 2005 - Vendors release bugfixed versions, after
                         information about this vulnerability leaked
                         through one of the affected applications to
                         the public.
       15. August 2005 - Public disclosure

    Recommendation:

       We strongly recommend to upgrade to the vendor supplied new
       version, that completely eliminates all calls to eval().
          
          PHPXMLRPC 1.2
          http://prdownloads.sourceforge.net/phpxmlrpc/xmlrpc.1.2.tgz?download
          

    GPG-Key:

       http://www.hardened-php.net/hardened-php-signature-key.asc

       pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
       Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

    Copyright 2005 Stefan Esser / Hardened-PHP Project. All rights reserved.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQFDAJGHRDkUzAqGSqERAjWBAKCQehbqKzLA8nN6TcP52YxlQE927gCfQM/0
    vUqqDUP8behCGxMbaz4QwHQ=
    =IDCZ
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: Mike: "[Full-disclosure] Virus Outbreak Attacking MS05-039 WIN2K"

    Relevant Pages