Full Disclosure mailing list archives
PHP Fuzzer Framework Insecure File Creation/Execution Vulnerability
From: elliot_mb () hushmail com
Date: Mon, 03 Aug 2009 16:03:13 -0400
PHP Fuzzer Framework Insecure File Creation/Execution Vulnerability I. BACKGROUND PFF is a popular fuzzing suite developed by a team of highly skilled developers at a classified government funded information security research center. http://www.setec.org/~calcite/code/pff/ II. DESCRIPTION Local exploitation of an insecure file creation method allows an attacker to execute arbritrary code with the privileges of the user running the affected application. III. ANALYSIS PFF uses a default location for output files before execution by the php intepreter. This location can be owned by another user. An attacker can then use the time between creation of the output file and execution of the file by the php binary to replace the file with a one containing the attacker's payload. IV. DETECTION All versions are affected. V. WORKAROUND Use a location not writable by another user for storage of PFF output files. VI. VENDOR RESPONSE Vendor was uninterested in fixing the issue. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has not yet assigned an identifier to this issue. VIII. DISCLOSURE TIMELINE 07/30/2009 10:01PM EST - Initial Contact 07/30/2009 10:05PM EST - Initial Vendor Reply 07/30/2009 10:06PM EST - Vendor expressed lack of interest in fixing the issue. IX. CREDIT This vulnerability was discovered by abad1dea, Melissa Elliott Email: Elliott_mb () students lynchburg edu melissa () netric org Address: 408 Homestead Drive Forest, VA 24551 Box 2073 Lynchburg Edu Phone: (434) 610-3058 544-8967 Web: http://www.0xabad1dea.net IRC: irc.smashthestack.org/#social/esper --- Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/
Attachment:
cheddabay.c
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- PHP Fuzzer Framework Insecure File Creation/Execution Vulnerability elliot_mb (Aug 03)
- Re: PHP Fuzzer Framework Insecure File Creation/Execution Vulnerability Valdis . Kletnieks (Aug 04)
- <Possible follow-ups>
- PHP Fuzzer Framework Insecure File Creation/Execution Vulnerability elliot_mb (Aug 04)