Advisory 22/2005: Multiple vulnerabilities in phpSysInfo

From: Christopher Kunz (christopher.kunz_at_hardened-php.net)
Date: 11/13/05

  • Next message: Amin Tora: "[ADVISORY] CISCO ASA Failover DoS Vulnerability"
    Date: Sun, 13 Nov 2005 12:02:00 +0100
    To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com, "phpsec@phparch.com" <phpsec@phparch.com>
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                            Hardened PHP Project
                            www.hardened-php.net

                          -= Security Advisory =-

         Advisory: Multiple vulnerabilities in phpSysInfo
     Release Date: 2005/11/13
    Last Modified: 2005/11/12
           Author: Christopher Kunz <christopher.kunz@hardened-php.net>
      Application: phpSysInfo 2.4 and prior
         Severity: Cross-Site Scripting, HTTP Response Splitting,
                   Arbitrary local file inclusion
             Risk: Medium
    Vendor Status: Vendor has released an updated version.
       References: http://www.hardened-php.net/advisory_212005.81.html

    Overview:

       phpSysInfo is a PHP script that displays information about the host being
       accessed. It will displays things like Uptime, CPU, Memory, SCSI, IDE, PCI,
       Ethernet, Floppy, and Video Information.
       A number of holes - all of them attributed to a rather crude (and unneeded)
       register_globals emulation - allow for arbitrary file inclusion, amongst
       other things.

    Details:

       It is important to note that due to the nature of phpSysInfo, it is unlikely
       to be run inside an open_basedir, since most of the information the software
       obtains is from the /proc or /etc directories. Furthermore, few admin-
       istrators will restrict its access to PHP's shell functions, since a such
       restriction would render the software unusable. In fact, the author requires
       that safe_mode be set to Off and no other restrictions be imposed on the PHP
       installation.

       A hole that was reported in CVE-2003-0536 and is reported as "fixed" in the
       phpSysInfo README still persists. The reason for this problem lies in the
       incorrect handling of variables by the "globalization layer" implemented in
       phpSysInfo's index.php - quote:
               if (!empty($HTTP_GET_VARS)) while (list($name, $value) =
                each($HTTP_GET_VARS)) $$name = $value;
               if (!empty($HTTP_POST_VARS)) while (list($name, $value) =
                each($HTTP_POST_VARS)) $$name = $value;
       As the interested reader will easily see, this two-liner overwrites the
       complete scope, including the superglobal variable $_SERVER. By injecting
       a local path name into $_SERVER['HTTP_ACCEPT_LANGUAGE'], an attacker can now
       include arbitrary files. If they have a way to create content on the target
       server (such as an entry in syslog or the web server log file), they can use
       this to execute arbitrary code.
       In the Debian Sarge package, injecting only HTTP_ACCEPT_LANGUAGE is suffi-
       cient - the current source tree (phpsysinfo-dev from sf.net) requires the
       attacker to additionally inject the $lng parameter.
       Example: /index.php?_SERVER[HTTP_ACCEPT_LANGUAGE]=../../README%00
                /index.php?_SERVER[HTTP_ACCEPT_LANGUAGE]=../../README%00&lng=../../
                README%00

       The variable $sensor_program is set in config.php, but can be overwritten
       since config.php is actually included *before* reglobalization takes place.
       With this variable, arbitrary file inclusion is possible on some platforms,
       dependant on the local realpath() implementation.
       Example: /index.php?sensor_program=lmsensors.inc.php/../../README%00

       Additionally, $sensor_program can *still* be used to inject active contents
       into the page, known as Cross-Site Scripting. This issue was discussed in
       CVE-2005-0870 and still exists. The other XSS holes mentioned in that ad-
       visory are still valid, too. They can be abused with register_globals Off,
       this is different from the advisory by ISS. It is, however, not exploitable
       on Debian systems.
       An additional attack vector for Cross-Site Scripting attacks is the variable
       $VERSION, which is used for the version string displayed on the bottom of
       each page.
       Example: /index.php?VERSION=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E

       A fairly unknown attack class is so-called HTTP Response Splitting, an at-
       tack that allows for "selective defacement" of web pages by poisoning for-
       warding or reverse proxies. An explanation of this attack class is beyond
       the scope of this advisory, a whitepaper can be obtained at [1].
       Using HTTP Response Splitting, arbitrary strings can be injected into the
       variable $charset, which is meant to include a value such as "iso-8859-1"
       or similar, but is only set to a value inside a language include file if a
       language in fact requires a character set different from iso-8859-1. In all
       other cases, it can be set via the URL. This variable is fed to a header()
       call without any additional checks. By breaking up the argument with \r\n,
       the attacker can inject a complete second HTTP response. This response is
       the only one that will be returned by any intermediate proxy, showing what-
       ever HTML the attacker injected previously.
       Example:
       /index.php?charset=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%
       0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d%0a<html>Ha
       cked!</html>
       This example will print out a simple (and invalid) HTML page containing only
       the string "Hacked!" if the victim accesses the phpSysInfo instance from be-
       hind a proxy. Direct access will probably yield an empty page, since many
       browsers do not know how to handle more than one response to a HTTP request.

    Proof of Concept:

       The examples above should provide you with enough PoC to validate the ex-
       istance of the vulnerabilities.

    Disclosure Timeline:

       10. November 2005 - Bug disclosed to vendor.
       10. November 2005 - Updated version 2.4 released.
       11. November 2005 - 2.4 does not seem to fix - own patch sent to vendor.
       12. November 2005 - New updated version 2.4.1 fixes the issues.
       13. November 2005 - Public disclosure.

    Credits:

       All vulnerabilities were investigated by the Hardened-PHP Project. Credit to
       referred vulnerabilities goes to the original authors, as mentioned on CVE.

    Recommendation:

       We have provided a bugfix to the vendor, which, in addition to their own
       fix, will be included in version 2.4.1 of phpSysInfo.
       We also recommend installing the Hardening Patch for PHP which would have
       mitigated the response splitting problem (by not allowing multiline headers)
       and the $_SERVER overwriting issues (by not allowing certain superglobals to
       be overwritten from the outside).
       If you want to fix the issue yourself, just comment out the lines mentioned
       in an earlier paragraph of this advisory and selectively infer the variables
       $_REQUEST['lng'] and $_REQUEST['template'] from the outside.
       Additionally, access to the includes/ directory should be restricted by
       appropriate means, e.g. a .htaccess file.

    CVE Information:

       The Common Vulnerabilities and Exposures project (cve.mitre.org) has
       assigned the name CVE-2005-3347 to the file inclusion issue and the name
       name CVE-2005-3348 to the HTTP response splitting problem.

    References:

       [1] http://www.packetstormsecurity.org/papers/general/whitepaper_httprespons
           e.pdf
       [2] http://phpsysinfo.sourceforge.net/

    Plug:

       You can discuss this and other vulnerabilities in our forum at
       http://forum.hardened-php.net/ - an up-to-date list of advisories can be
       found at http://www.hardened-php.net/.

    GPG-Key:

       http://www.hardened-php.net/hardened-php-signature-key.asc

       pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
       Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

    Copyright 2005 Christopher Kunz / Hardened PHP Project. All rights reserved.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQFDdyOFRDkUzAqGSqERAt9KAJ4uCXhrcapN/zxWDS6n7y8ezp6xsQCgw28i
    HSdHc4zKJ8aCj5gSC8Zxlj4=
    =XRw5
    -----END PGP SIGNATURE-----


  • Next message: Amin Tora: "[ADVISORY] CISCO ASA Failover DoS Vulnerability"

    Relevant Pages