[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] PHP dlopen() -> Fun with apache (and other

To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] PHP dlopen() -> Fun with apache (and other
From: andrewg@felinemenace.org
Date: Wed, 13 Aug 2003 03:39:28 -0700


                     _,'|             _.-''``-...___..--';)
                     /_ \'.      __..-' ,      ,--...--'''
                    <\    .`--'''       `     /'
                    `-';'               ;   ; ;
               __...--''     ___...--_..'  .;.'
           fL (,__....----'''       (,..--''  felinemenace.org

Program: PHP
Impact: Users who can supply scripts to be parsed can cause apache to execute
        arbitary code.
Discovered: Andrew Griffiths
Writeup and exploits: Andrew Griffiths

1) Background

        PHP is a widely-used general-purpose scripting language that is
        especially suited for Web development and can be embedded into HTML.

        For more information, see http://www.php.net

2) Description

        If you can use the dlopen() function in PHP, you can do many
        interesting things to the apache (or alternate web server's) process
        memory.

        The attached examples dump the process memory to /tmp (works for both
        apache 1.x and apache 2.x), and the other one simulates a defacement
        (works for apache 1.x, due to return code handling, it doesn't work
        for apache 2.x).

3) Notes

        [andrewg@felinemenace public_html]$ stat memdump.c
        File: "memdump.c"
        Size: 1357            Blocks: 4          IO Block: 1024   Regular File
        Device: be18h/48664d    Inode: 58662939    Links: 1
        Access: (0664/-rw-rw-r--)  Uid: ( 1002/ andrewg)   Gid: ( 1002/ andrewg)        Access: Thu May 29 01:21:09 2003
        Modify: Thu May 29 01:21:10 2003
        Change: Thu May 29 01:21:10 2003

        gcc -c -o memdump.o memdump.c
        ld -shared -o /tmp/libby.so memdump.o

	Erm, originally I sent this encrypted. I lay the blame @ mutt and not
	giving me an option of not sending it encrypted, once I accidently 
	hit y to send and not p to change the option.

4) Mitigation

        You can disable the dlopen function by utilising the disable_function
        parameter in the php.ini configuration file, or alternatively, enable
        safe_mode in the php.ini configuration file.

5) Exploits

        http://felinemenace.org/exploits/fm-php-memdump.c
        http://felinemenace.org/exploits/fm-php-deface.c

        Here is a challenge/interesting idea for some people to think about.

        1) Write a shellcode (and a .so) that can "steal" an SSL private key,
        from an application that utilitizes OpenSSL, like, say, stunnel or
        programs like Apache :)

        2) Could you hook the private key input function from apache, and have
        it survive across apachectl restart?


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] PHP dlopen() -> Fun with apache (and other
  - From: Stefan Esser <s.esser@e-matters.de>

Prev by Date: Re: [Full-Disclosure] Blaster: will it spread without tftp?
Next by Date: RE: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)
Prev by thread: Re: [Full-Disclosure] DameWare Mini-RC Shatter
Next by thread: Re: [Full-Disclosure] PHP dlopen() -> Fun with apache (and other
Index(es):
- Date
- Thread