Citrix, PHP, SyScan,

[Dave Aitel <dave () kof immunityinc com>]

The sign of a good hacker is often that they make it look really stinkin'
easy. Like today at SyScan 09 (Singapore) Brett Moore went from "remote
anonymous" to "domain admin" in about 5 clicks using various Citrixy things
(live demos are fun!). As he says "You can explain this stuff all day, but
when network admins actually see you do it, that's when they learn".

Likewise, Steffan Esser pointed out that he had released a bugclass in PHP
(that helps you bypass Safe Mode) back in his "month of PHP bugs". But when
he goes through the thousand circumstantial steps of how you exploit it
reliably (his exploit worked smoothly against PHP x86 and x64 in his demo)
it makes a lot more sense.

The basic theory of his work (as I understand it) is this:

The PHP engine's code does not take proper account into the idea that types
of PHP variables can be changed during a function's execution. So for
example, you use the "explode" function but while it's exploding you change
a variable in the hashtable and (via some magic) you can then get a nice
information leak. A similar bug results in creation of a string with size of
2 gigs and startging memory address of 0. This means you can do things like
my_fake_string[0x41414141]=0; to write to that address in memory. Via some
parsing (work goes here) you can turn off safe_mode, fix the removed
functions, and get out of PHP jails in all senses of the term.

The other side benefit is that when you are running PHP in a common setup,
with SSL and mod_php, you can then read the process's memory to recover the
SSL private key. Thsi is one time when MS's use of LSASS for storing private
keys and doing all the crypto makes sense!

Anyways, more on the talks later - next up is SyScan Taiwan!

-dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave