SEC-Consult SA 20051025-0 :: Snoopy Remote Code Execution Vulnerability

From: Bernhard Mueller (research_at_sec-consult.com)
Date: 10/25/05

  • Next message: Bernhard Mueller: "SEC-Consult SA 20051025-1 :: RSA ACE Web Agent XSS" 
    Date: Tue, 25 Oct 2005 22:24:54 +0200
To: Full Disclosure <full-disclosure@lists.grok.org.uk>, bugtraq@securityfocus.com

    SEC-CONSULT Security Advisory 20051025-0
    ======================================================================
                      title: Snoopy Remote Code Execution Vulnerability
                    program: Snoopy PHP Webclient
         vulnerable version: 1.2 and earlier
                   homepage: http://snoopy.sourceforge.net
                      found: 2005-10-10
                         by: D. Fabian / SEC-CONSULT / www.sec-consult.com
    ======================================================================

    vendor description:
    ---------------

    Snoopy is a PHP class that simulates a web browser. It automates the
    task of retrieving web page content and posting forms, for example.

    Snoopy is used by various RSS parser, which are in turn used in a
    whole bunch of applications like weblogs, content management systems,
    and many more.

    vulnerabilty overview:
    ---------------

    Whenever an SSL protected webpage is requested with one of the many
    Snoopy API calls, it calls the function _httpsrequest which takes
    the URL as argument. This function in turn calls the PHP-function
    exec with unchecked user-input. Using a specially crafted URL, an
    attacker can supply arbitrary commands that are executed on the web
    server with priviledges of the web user.

    While the vulnerability can not be exploited using the Snoopy class
    file itself, there may exist implementations which hand unchecked
    URLs from users to snoopy.

    proof of concept:
    ---------------

    Consider the following code on a webserver:
    --- code ---
    <?
    include "Snoopy.class.php";
    $snoopy = new Snoopy;

    $snoopy->fetch($_GET['url']);
    echo "<PRE>\n";
    print $snoopy->results;
    echo "</PRE>\n";
    ?>
    --- /code ---

    Requesting this code with a manipulated URL results in execution
    of arbitrary code (in this case "echo 'hello' > test.txt"). Please
    consider the following url one line:

    http://server/fetch.php?url=https://www.%22;+echo+'hello'+%3E+
    test.txt

    vulnerable versions:
    ---------------

    It seems that version 1.2 as well as some prior versions are vulnerable
    to the attack described above.

    recommended fix:
    ---------------

    Update to Snoopy version 1.2.1.

    vendor status:
    ---------------
    vendor notified: 2005-10-24
    vendor response: 2005-10-24
    patch available: 2005-10-24

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    SEC Consult Unternehmensberatung GmbH

    Office Vienna
    Blindengasse 3
    A-1080 Wien
    Austria

    Tel.: +43 / 1 / 409 0307 - 570
    Fax.: +43 / 1 / 409 0307 - 590
    Mail: office at sec-consult dot com
    www.sec-consult.com

    EOF Daniel Fabian / @2005
    d.fabian at sec-consult dot com

  • Next message: Bernhard Mueller: "SEC-Consult SA 20051025-1 :: RSA ACE Web Agent XSS"