logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Other Software View previous topic :: View next topic
Reply to topic   Topic: Security: PHP 5.4 Remote Exploit PoC in the wild
Author
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
PostPosted: Sat 19 May '12 19:19    Post subject: Security: PHP 5.4 Remote Exploit PoC in the wild Reply with quote
There is a remote exploit in the wild for PHP 5.4.3 in Windows, which takes advantage of a vulnerability in the com_print_typeinfo function. The php engine needs to execute the malicious code, which can include any shellcode like the the ones that bind a shell to a port...

See: http://isc.sans.org/diary/PHP+5+4+Remote+Exploit+PoC+in+the+wild/13255

Exploit: hxxp://www.exploit-db.com/exploits/18861/
(change the hxxp to http to see it)
Back to top
Kanashii



Joined: 17 Jul 2006
Posts: 155
Location: Porando
PostPosted: Sun 20 May '12 7:09    Post subject: re Reply with quote
I think this is local code execution !

Quote:
// Exploit Title: PHP 5.4 (5.4.3) Code Execution 0day (Win32) //


com_print_typeinfo - you can bloc this function via PHP.ini :: disable_functions = com_print_typeinfo


Block any file upload function in your php applications to avoid risks of exploit code execution.

* That mean someone can upload file to your server eq php.bmps and via .httaces add filetype .bmps to be executed as PHP interpretor

Quote:
There appears to be a buffer overflow in com_print_typeinfo(), it
appears to only affect PHP on Windows (COM object related).


http://seclists.org/oss-sec/2012/q2/358

Question is WHO start apache on "System" account ?

On System account you can eq add new user admin etc and whatever systeminfo.exe

Other think i look on this code and what i see:

Quote:

function makeRequest(url, parameters)

Quote:

makeRequest("0day.php?offset="+offset);

$offset - is numeric form 1 to 300

make ajax request to 0day.php with no remote IP address so is local.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
PostPosted: Sun 20 May '12 8:06    Post subject: Reply with quote
Yes, which is why the recommendation was to disable uploads for the time being. If someone uploads it, and calls it, game over.
Back to top
Kanashii



Joined: 17 Jul 2006
Posts: 155
Location: Porando
PostPosted: Sun 20 May '12 18:28    Post subject: Reply with quote
or add to folder:

php_flag engine off

Other problem, when you check file extension by preg_match you need filtr \n && \r

Smile

But best way is to run apache on nobody group and add secure rules to allow run only software by admin witch exception to apche bin folder
Back to top


Reply to topic   Topic: Security: PHP 5.4 Remote Exploit PoC in the wild View previous topic :: View next topic
Post new topic   Forum Index -> Other Software