Hey, folks, ignore the coincidence of the date when reading this email.
During the Scranton PHP Group's meeting last night, the topic was
security - go through all of the PHP engine's source code and identify
and find patches for possible security issues. In the process, we
detected a huge security vulnerability that affects all versions since
at least 4.1.0. PHP apparently has a built-in bytecode-parsing
component in the engine itself, and while we couldn't find any
documentation for it at all, we were able to exploit the vulnerability
in a variety of ways. And the things we were able to do weren't
pretty: escalated privileges, subsequently leading to filesystem dd,
password changes, and even remote installations. Not nice stuff at
all.
This works regardless of whether or not open_basedir, safe_mode,
remote_url_fopen, remote_url_include, et cetera, are turned on or off.
It's also not *NIX-dependent. And because of Windows' inherent
security issues itself, we didn't even have to play around with the
trivial privilege escalation routines; send one injected request as a
GET or POST to PHP (on Apache and IIS alike, and probably other HTTP
servers).
Unfortunately, the web servers didn't filter the request, and PHP
parses the information internally. Script sanity seems to mean nil,
since we were even able to do it with a blank test.php file. It looks
like anything that calls up the PHP engine will process the query
string.
There is, however, an easy fix, which is a good thing for Windows
users, since most probably don't know how to compile even basic code.
Edit your php.ini file and add the following line:
remote_bytecode_include = Off
And then restart Apache/IIS/etc. to have the changes take effect.
The part of the engine source responsible for bytecode inclusion does
recognize that flag, thank God, so even as serious as the issue is, at
least there's an extremely simple fix. Once we did that and tried
again, the exploits weren't at all successful. So there's some good
news there.
For those interested, no, I'm not going to send exploit examples
to the list. Those of you who are serious know that it would be
extremely irresponsible to do so, especially considering the very open
nature. So for any of you lurkers or wannabe-skript kiddies who
contact me even off-list, your messages will be summarily ignored.
Those of you on shared web hosts will want to alert your hosting
providers immediately as well. We've been sending emails to server
admins, but as you can guess, it's impossible for us to reach all of
them. So without trying to sound like a chain letter, please pass
this on ASAP.
--
</Daniel P. Brown>
Forensic Services, Senior Unix Engineer
1+ (570-) 362-0283
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
