[UNIX] phpSysInfo Multiple Vulnerabilities (HTTP_ACCEPT_LANGUAGE, sensor_program, VERSION, charset)

From: SecuriTeam (support_at_securiteam.com)
Date: 11/14/05

  • Next message: SecuriTeam: "[UNIX] VERITAS Storage Foundation Buffer Overflow" 
    To: list@securiteam.com
Date: 14 Nov 2005 16:29:59 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      phpSysInfo Multiple Vulnerabilities (HTTP_ACCEPT_LANGUAGE, sensor_program,
    VERSION, charset)
    ------------------------------------------------------------------------

    SUMMARY

     <http://phpsysinfo.sourceforge.net/> phpSysInfo is a PHP script that
    displays information about the host being accessed. It will displays
    things like Uptime, CPU, Memory, SCSI, IDE, PCI, Ethernet, Floppy, and
    Video Information. A number of holes - all of them attributed to a rather
    crude (and unneeded) register_globals emulation - allow for arbitrary file
    inclusion, amongst other things.

    Multiple vulnerabilities have been discovered in phpSysInfo allowing
    attackers to cause the program to reveal sensitive files and include
    arbitrary HTML and/or JavaScript.

    DETAILS

    It is important to note that due to the nature of phpSysInfo, it is
    unlikely to be run inside an open_basedir, since most of the information
    the software obtains is from the /proc or /etc directories. Furthermore,
    few administrators will restrict its access to PHP's shell functions,
    since a such restriction would render the software unusable. In fact, the
    author requires that safe_mode be set to Off and no other restrictions be
    imposed on the PHP installation.

    A hole that was reported in CVE-2003-0536 and is reported as "fixed" in
    the phpSysInfo README still persists. The reason for this problem lies in
    the incorrect handling of variables by the "globalization layer"
    implemented in phpSysInfo's index.php - quote:
               if (!empty($HTTP_GET_VARS)) while (list($name, $value) =
                each($HTTP_GET_VARS)) $$name = $value;
               if (!empty($HTTP_POST_VARS)) while (list($name, $value) =
                each($HTTP_POST_VARS)) $$name = $value;

    As the interested reader will easily see, this two-liner overwrites the
    complete scope, including the superglobal variable $_SERVER. By injecting
    a local path name into $_SERVER['HTTP_ACCEPT_LANGUAGE'], an attacker can
    now include arbitrary files. If they have a way to create content on the
    target server (such as an entry in syslog or the web server log file),
    they can use this to execute arbitrary code.

    In the Debian Sarge package, injecting only HTTP_ACCEPT_LANGUAGE is
    sufficient - the current source tree (phpsysinfo-dev from sf.net) requires
    the attacker to additionally inject the $lng parameter.

    Example:
    /index.php?_SERVER[HTTP_ACCEPT_LANGUAGE]=../../README%00
    /index.php?_SERVER[HTTP_ACCEPT_LANGUAGE]=../../README%00&
    lng=../../README%00

    The variable $sensor_program is set in config.php, but can be overwritten
    since config.php is actually included *before* reglobalization takes
    place. With this variable, arbitrary file inclusion is possible on some
    platforms, dependant on the local realpath() implementation.

    Example:
    /index.php?sensor_program=lmsensors.inc.php/../../README%00

    Additionally, $sensor_program can *still* be used to inject active
    contents into the page, known as Cross-Site Scripting. This issue was
    discussed in CVE-2005-0870 and still exists. The other XSS holes mentioned
    in that ad- visory are still valid, too. They can be abused with
    register_globals Off, this is different from the advisory by ISS. It is,
    however, not exploitable on Debian systems.

    An additional attack vector for Cross-Site Scripting attacks is the
    variable $VERSION, which is used for the version string displayed on the
    bottom of each page.

    Example:
    /index.php?VERSION=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E

    A fairly unknown attack class is so-called HTTP Response Splitting, an
    attack that allows for "selective defacement" of web pages by poisoning
    forwarding or reverse proxies. An explanation of this attack class is
    beyond the scope of this advisory.

    Using HTTP Response Splitting, arbitrary strings can be injected into the
    variable $charset, which is meant to include a value such as "iso-8859-1"
    or similar, but is only set to a value inside a language include file if a
    language in fact requires a character set different from iso-8859-1. In
    all other cases, it can be set via the URL. This variable is fed to a
    header() call without any additional checks. By breaking up the argument
    with \r\n, the attacker can inject a complete second HTTP response. This
    response is the only one that will be returned by any intermediate proxy,
    showing whatever HTML the attacker injected previously.

    Example:
    /index.php?charset=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1 200
    OK%0d%0aContent-Type: text/html%0d%0aContent-Length:
    19%0d%0a%0d%0a<html>Hacked!</html>

    This example will print out a simple (and invalid) HTML page containing
    only the string "Hacked!" if the victim accesses the phpSysInfo instance
    from behind a proxy. Direct access will probably yield an empty page,
    since many browsers do not know how to handle more than one response to a
    HTTP request.

    Disclosure Timeline:
    10. November 2005 - Bug disclosed to vendor.
    10. November 2005 - Updated version 2.4 released.
    11. November 2005 - 2.4 does not seem to fix - own patch sent to vendor.
    12. November 2005 - New updated version 2.4.1 fixes the issues.
    13. November 2005 - Public disclosure.

    Recommendation:
    We have provided a bugfix to the vendor, which, in addition to their own
    fix, will be included in version 2.4.1 of phpSysInfo. We also recommend
    installing the Hardening Patch for PHP which would have mitigated the
    response splitting problem (by not allowing multiline headers) and the
    $_SERVER overwriting issues (by not allowing certain superglobals to be
    overwritten from the outside). If you want to fix the issue yourself, just
    comment out the lines mentioned in an earlier paragraph of this advisory
    and selectively infer the variables $_REQUEST['lng'] and
    $_REQUEST['template'] from the outside.

    Additionally, access to the includes/ directory should be restricted by
    appropriate means, e.g. a .htaccess file.

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3347>
    CVE-2005-3347
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3348>
    CVE-2005-3348

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:christopher.kunz@hardened-php.net> Christopher Kunz.
    The original article can be found at:
    <http://www.hardened-php.net/advisory_212005.81.html>
    http://www.hardened-php.net/advisory_212005.81.html

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] VERITAS Storage Foundation Buffer Overflow"

    Relevant Pages