Dailydave mailing list archives
Citrix, PHP, SyScan,
From: Dave Aitel <dave () kof immunityinc com>
Date: Fri, 3 Jul 2009 07:06:06 -0400
The sign of a good hacker is often that they make it look really stinkin' easy. Like today at SyScan 09 (Singapore) Brett Moore went from "remote anonymous" to "domain admin" in about 5 clicks using various Citrixy things (live demos are fun!). As he says "You can explain this stuff all day, but when network admins actually see you do it, that's when they learn". Likewise, Steffan Esser pointed out that he had released a bugclass in PHP (that helps you bypass Safe Mode) back in his "month of PHP bugs". But when he goes through the thousand circumstantial steps of how you exploit it reliably (his exploit worked smoothly against PHP x86 and x64 in his demo) it makes a lot more sense. The basic theory of his work (as I understand it) is this: The PHP engine's code does not take proper account into the idea that types of PHP variables can be changed during a function's execution. So for example, you use the "explode" function but while it's exploding you change a variable in the hashtable and (via some magic) you can then get a nice information leak. A similar bug results in creation of a string with size of 2 gigs and startging memory address of 0. This means you can do things like my_fake_string[0x41414141]=0; to write to that address in memory. Via some parsing (work goes here) you can turn off safe_mode, fix the removed functions, and get out of PHP jails in all senses of the term. The other side benefit is that when you are running PHP in a common setup, with SSL and mod_php, you can then read the process's memory to recover the SSL private key. Thsi is one time when MS's use of LSASS for storing private keys and doing all the crypto makes sense! Anyways, more on the talks later - next up is SyScan Taiwan! -dave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Citrix, PHP, SyScan, Dave Aitel (Jul 03)