Full Disclosure mailing list archives
PHP dlopen() -> Fun with apache (and other
From: andrewg () felinemenace org
Date: Wed, 13 Aug 2003 03:39:28 -0700
_,'| _.-''``-...___..--';) /_ \'. __..-' , ,--...--''' <\ .`--''' ` /' `-';' ; ; ; __...--'' ___...--_..' .;.' fL (,__....----''' (,..--'' felinemenace.org Program: PHP Impact: Users who can supply scripts to be parsed can cause apache to execute arbitary code. Discovered: Andrew Griffiths Writeup and exploits: Andrew Griffiths 1) Background PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. For more information, see http://www.php.net 2) Description If you can use the dlopen() function in PHP, you can do many interesting things to the apache (or alternate web server's) process memory. The attached examples dump the process memory to /tmp (works for both apache 1.x and apache 2.x), and the other one simulates a defacement (works for apache 1.x, due to return code handling, it doesn't work for apache 2.x). 3) Notes [andrewg@felinemenace public_html]$ stat memdump.c File: "memdump.c" Size: 1357 Blocks: 4 IO Block: 1024 Regular File Device: be18h/48664d Inode: 58662939 Links: 1 Access: (0664/-rw-rw-r--) Uid: ( 1002/ andrewg) Gid: ( 1002/ andrewg) Access: Thu May 29 01:21:09 2003 Modify: Thu May 29 01:21:10 2003 Change: Thu May 29 01:21:10 2003 gcc -c -o memdump.o memdump.c ld -shared -o /tmp/libby.so memdump.o Erm, originally I sent this encrypted. I lay the blame @ mutt and not giving me an option of not sending it encrypted, once I accidently hit y to send and not p to change the option. 4) Mitigation You can disable the dlopen function by utilising the disable_function parameter in the php.ini configuration file, or alternatively, enable safe_mode in the php.ini configuration file. 5) Exploits http://felinemenace.org/exploits/fm-php-memdump.c http://felinemenace.org/exploits/fm-php-deface.c Here is a challenge/interesting idea for some people to think about. 1) Write a shellcode (and a .so) that can "steal" an SSL private key, from an application that utilitizes OpenSSL, like, say, stunnel or programs like Apache :) 2) Could you hook the private key input function from apache, and have it survive across apachectl restart? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- PHP dlopen() -> Fun with apache (and other andrewg (Aug 13)
- Re: PHP dlopen() -> Fun with apache (and other Stefan Esser (Aug 13)
- Re: PHP dlopen() -> Fun with apache (and other andrewg (Aug 13)
- Re: PHP dlopen() -> Fun with apache (and other Andreas Gietl (Aug 13)
- Re: PHP dlopen() -> Fun with apache (and other Stefan Esser (Aug 13)