xorl %eax, %eax

CVE-2009-4427: phpLDAPadmin Local File Inclusion

with 2 comments

This vulnerability was known at least since 10 December 2009 since ‘ipsecs’ posted an exploit code for this issue. The bug affects 1.1.0.5 and probably other releases too. Here is the buggy code as seen in htdocs/cmd.php:

$www['cmd'] = get_request('cmd','REQUEST');
    ...
switch ($www['cmd']) {
	case '_debug' :
		debug_dump($_REQUEST,1);
		break;

	default :
		if (defined('HOOKSDIR') && file_exists(HOOKSDIR.$www['cmd'].'.php'))
			$file = HOOKSDIR.$www['cmd'].'.php';

		elseif (defined('HTDOCDIR') && file_exists(HTDOCDIR.$www['cmd'].'.php'))
			$file = HTDOCDIR.$www['cmd'].'.php';

		elseif (file_exists('welcome.php'))
			$file = 'welcome.php';
}
    ...
if ($file)
	include $file;

The bug is quite obvious. The ‘cmd’ is initialized through the user controlled ‘cmd’ parameter using get_request(). So, if the user provided a parameter that it’s not NULL and it’s not set to “_debug”, it will fall to the default case in the ‘switch’ statement. If the ‘HOOKSDIR’ constant is defined and if the requested file exists when a ‘.php’ extension is added to it, it will set variable ‘file’ to that file and after exiting the ‘switch’ statement, it will check that ‘file’ is not NULL and it will attempt to include it.
Pretty simple local file inclusion vulnerability. This means that you can include files from the local system simply like this:

http://server/phpldapadmin/cmd.php?cmd=../../../../etc/passwd%00

The Unicode NULL character is used to NULL terminate the string so that you can bypass the ‘.php’ extension that is appended in the user controlled file.

Written by xorl

January 6, 2010 at 21:31

Posted in bugs

2 Responses

Subscribe to comments with RSS.

  1. Neat trick with the unicode NULL, however, i can’t seem to get it to work myself:

    include(one%00.php) [function.include]: failed to open stream

    The file “one” exists. Maybe it’s plugged by php, havent googled it yet.

    Joernsn

    January 7, 2010 at 11:39

  2. Joernsn the Unicode character is parsed by the HTTP server before passed to PHP. The PHP code receives a common NULL byte. For more details, read this: http://www.madirish.net/?article=436

    xorl

    January 8, 2010 at 05:06


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s