Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

PHP Fuzzer Framework Insecure File Creation/Execution Vulnerability

From: elliot_mb () hushmail com
Date: Mon, 03 Aug 2009 14:48:29 -0400
PHP Fuzzer Framework Insecure File Creation/Execution Vulnerability
I. BACKGROUND

PFF is a popular fuzzing suite developed by a team of highly 
skilled developers
at a classified government funded information security research 
center.
http://www.setec.org/~calcite/code/pff/ 

II. DESCRIPTION

Local exploitation of an insecure file creation method allows an 
attacker to 
execute arbritrary code with the privileges of the user running the 
affected 
application.

III. ANALYSIS

PFF uses a default location for output files before execution by 
the php intepreter.
This location can be owned by another user. An attacker can then 
use the time between 
creation of the output file and execution of the file by the php 
binary to replace
the file with a one containing the attacker's payload.

IV. DETECTION

All versions are affected.

V. WORKAROUND

Use a location not writable by another user for storage of PFF 
output files.

VI. VENDOR RESPONSE

Vendor was uninterested in fixing the issue.


VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has not yet 
assigned an identifier  to this issue. 

VIII. DISCLOSURE TIMELINE

07/30/2009 10:01PM EST - Initial Contact
07/30/2009 10:05PM EST - Initial Vendor Reply
07/30/2009 10:06PM EST - Vendor expressed lack of interest in 
fixing the issue.

IX. CREDIT

This vulnerability was discovered by abad1dea,
Melissa Elliott
Email:
Elliott_mb () students lynchburg edu
melissa () netric org
Address:
408 Homestead Drive
Forest, VA 24551

Box 2073
Lynchburg Edu

Phone:
(434) 610-3058
      544-8967 

Web:
http://www.0xabad1dea.net

IRC:
irc.smashthestack.org/#social/esper
---
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

Attachment: cheddabay.c
Description: 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: