linux, säkerhet

11148604 2003-12-29 15:51 +0100 /91 rader/ ppp-design <security@ppp-design.de>
Importerad: 2003-12-29 22:43 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: full-disclosure@lists.netsys.com
Mottagare: Bugtraq (import) <30472>
Ärende: php-ping: Executing arbritary commands
------------------------------------------------------------
From: ppp-design <security@ppp-design.de>
To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
Message-ID: <3FF03F5C.3060306@ppp-design.de>

ppp-design found the following design error in php-ping:


Details
-------
Product: php-ping
Affected Version: (no version information included in the script)
Immune Version: latest version
OS affected: all OS with php
Vendor-URL: http://www.theworldsend.net/
Vendor-Status: informed, new version avaiable
Security-Risk: high - very high
Remote-Exploit: Yes


Introduction
------------
php-ping is a simple php script executing the ping command.
Unfortunately a bug allows users to execute arbritary commands.


More details
------------
The problem is based upon the fact that not all user inputs are filtered
correctly. Although $host ist filtered using preg_replace the $count
variable is parsed unfiltered to the system() command.


Proof-of-concept
----------------
You can use one of the following proof of concepts:

http://www.example.com/php-ping.php?count=1+%26+ls%20-l+%26&submit=Ping%21
http://www.example.com/php-ping.php?count=1+%26+cat%20/etc/passwd+%26&submit=Ping%21


Temporary-Fix
-------------
Replace
If ($count > $max_count)
with
If ($count > $max_count && !is_numeric($count))


Fix
---
Use latest version.


Security-Risk
-------------
Because an attacker is able to execute any php command, he is able to
read all files including .htaccess or .htpasswd files or any password
protected pages. Depending on system security he might be able to run
any shell command on the server. That is why we are rating this security
issue to high - very high.


Vendor status
-------------
Unfortunately the webmaster@theworldsend.net address mentioned on the
website and in the script was bouncing. But with help of whois we were
able to find a valid email address to contact the author. On day later,
the bug was fixed without any notice.


Disclaimer
----------
All information that can be found in this advisory is believed to be
true, but maybe it isn't. ppp-design can not be held responsible for the
use or missuse of this information. Redistribution of this text is only
permitted if the text has not been altered and the original author
ppp-design (http://www.ppp-design.de) is mentioned.


This advisory can be found online at:
http://www.ppp-design.de/advisories_show.php?adv=php-ping__executing_arbitrary_commands.txt



-- 
ppp-design
http://www.ppp-design.de
Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc
Fingerprint: 5B02 0AD7 A176 3A4F CE22  745D 0D78 7B60 B3B5 451A
(11148604) /ppp-design <security@ppp-design.de>/(Ombruten)
Kommentar i text 11151713 av Golden_Eternity <bugtraq@bhodisoft.com>
11151713 2003-12-29 14:45 -0800 /17 rader/ Golden_Eternity <bugtraq@bhodisoft.com>
Importerad: 2003-12-30 19:56 av Brevbäraren
Extern mottagare: ppp-design <security@ppp-design.de>
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: full-disclosure@lists.netsys.com
Mottagare: Bugtraq (import) <30482>
Kommentar till text 11148604 av ppp-design <security@ppp-design.de>
Ärende: RE: php-ping: Executing arbritary commands
------------------------------------------------------------
From: "Golden_Eternity" <bugtraq@bhodisoft.com>
To: "ppp-design" <security@ppp-design.de>,
 <bugtraq@securityfocus.com>, <full-disclosure@lists.netsys.com>
Message-ID: <EOEGLIKIMNJIPFEJADFFAENACAAA.bugtraq@bhodisoft.com>

> Temporary-Fix
> -------------
> Replace
> If ($count > $max_count)
> with
> If ($count > $max_count && !is_numeric($count))

Shouldn't that be '||' instead of '&&'?

-G_E
(11151713) /Golden_Eternity <bugtraq@bhodisoft.com>/
Kommentar i text 11151664 av ppp-design <security@ppp-design.de>
11151664 2003-12-30 10:11 +0100 /29 rader/ ppp-design <security@ppp-design.de>
Importerad: 2003-12-30 19:44 av Brevbäraren
Extern mottagare: Golden_Eternity <bugtraq@bhodisoft.com>
Extern kopiemottagare: bugtraq@securityfocus.com
Extern kopiemottagare: full-disclosure@lists.netsys.com
Mottagare: Bugtraq (import) <30481>
Kommentar till text 11151713 av Golden_Eternity <bugtraq@bhodisoft.com>
    Sänt:     2003-12-30 19:56
Ärende: Re: php-ping: Executing arbritary commands
------------------------------------------------------------
From: ppp-design <security@ppp-design.de>
To: Golden_Eternity <bugtraq@bhodisoft.com>
Cc: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
Message-ID: <3FF1415E.5080908@ppp-design.de>

Golden_Eternity wrote:

>>If ($count > $max_count && !is_numeric($count))
> 
> Shouldn't that be '||' instead of '&&'?

Yes, of course. Sorry, this typo should have been fixed before
releasing the advisory.


Thanks a lot for the hint,

Jens Liebchen
ppp-design



-- 
ppp-design
http://www.ppp-design.de
Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc
Fingerprint: 5B02 0AD7 A176 3A4F CE22  745D 0D78 7B60 B3B5 451A
(11151664) /ppp-design <security@ppp-design.de>/(Ombruten)