Exploiting PHP Upload forms with CVE-2015-2348

4:06 AM

Today I would like to post about the most recent bug I have found in PHP, CVE-2015-2348. This bug is fairly critical (considering the amount of developers affected).
I have to admit checking the file extension and saying a file is valid can actually can still cause other security issues. However, checking for this vulnerability in your code is pretty unrealistic, considering it can pass the Content-Type, Extension, Mime type, size... etc won't save you from this.

The issue occurs in the very popular move_uploaded_files php function that is used to handle uploaded files most of the time. This function checks to ensure that the file designated by filename is a valid upload file (meaning that it was uploaded via PHP's HTTP POST upload mechanism). If the file is valid, it will be moved to the filename given by destination.

Example:

move_uploaded_file ( string $filename , string $destination )

The problem with it is that there is a way to insert null byts (fixed multiple times before, i.e: CVE-2006-7243). Using nullbytes an attacker can convince an upload box, the file is fairly valid and upload malicious files that can cause RCE. using the character \x00

I am going to take DVWA for an example here. DVWA's highest level is meant to be unbroken for number of issues. the high upload box is meant to teach developers the safe way of handling a safe upload. lets just exploit that. Here is the code snippit from https://github.com/RandomStorm/DVWA/blob/master/vulnerabilities/upload/source/high.php:


$uploaded_name = $_FILES['uploaded']['name']; 
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1); $uploaded_size = $_FILES['uploaded']['size']; 

if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" || $uploaded_ext == "JPEG") && ($uploaded_size < 100000)){ if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) { 

$html .= '';
$html .= 'Your image was not uploaded.'; 
$html .= ''; } 
else { 
$html .= $target_path . ' succesfully uploaded!';
.
.

This is yes vulnerable to number of exploits (like XSCH, XSS and more), but not RCE. because since PHP 5.3.1 Null bytes are deprecated.

The problem with DVWA is that its passing user provided name to the move_uploaded_file()

Expected behavior for PHP to create:

move_uploaded_file($_FILES['name']['tmp_name'],"/file.php\x00.jpg")

That file should have created the file "file.php\x00.jpg"

Reality creates: file.php

This clearly bypasses the extension check. It has been proven many times the GD libraries can also be defeated ( getimagesize(), imagecreatefromjpeg()... ), read this for example

Now we could have done multiple checks for this, however its unlikly we blacklisted the char \x00 so most upload forms running PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 are vulnerable for this particular attack.

Conclusion:

If you are on a vulnerable server, you can try randomizing user input values instead of accepting user provided name and passing it to the move_uploaded_files


You Might Also Like

45 comments

  1. Great finding (y)

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. why my comment removed it really doesn't work on php 5.5.14 ! you only want hats off and nice job ? what environment did you test on ?

      Delete
    2. Hey sorry.

      I didn't mean to remove your comment, sorry I taught you were trolling. I haven't tried this null byte injection in Mac. I know for a fact this won't work on windows because windows can't create filenames with \ in them to begin with. Anyway, I have tested it and looks like you were right. the $_FILES['uploaded']['name'] truncates the null bytes. that isn't meant to happen. My point was indicating move_uploaded_files(). That is probably another bug $_FILES['uploaded']['name'] is also swallowing nullbytes, but could be intentional.

      Delete
  3. I wonder how can you exploit it on dvwa ??? (test on php 5.3.3)
    On variable $_FILES['uploaded']['name'], null byte was truncated, so the variable $uploaded_ext will be ".php", unable to pass through the first "if" statement.

    ReplyDelete
    Replies
    1. refer to the reply before yours!

      Delete
  4. I need wu bug in ghana and money gram payment to Ghana i can pick it up and send your share via bit coin

    ReplyDelete
  5. i forgot to add my email is jeffblis@yahoo.com we can also do other business if you're interested im in Ghana there is a lot we ca do i will never fail to give you your money after each deal.

    ReplyDelete
  6. Hello I was try it on Metasploitable 2, when uploading file named shadow.php\x00.jpg process succes, but the file saved as x00.jpg not shadow.php
    what should I do?

    ReplyDelete
    Replies
    1. You didn't do anything wrong. we just recently figure out some versions of PHP also do truncate the file name before the if statement (check the commentes). don't know which exact versions. But apparently Metasploitable must be one of them.

      Delete
  7. Nice post! it was helpful!

    ReplyDelete
  8. on php 5.3.5 and works fine & thanks for sharing.

    ReplyDelete
  9. Nice piece of information on HTML5. With the expansion of smartphones and other portable gadgets, the demand for responsive website design that go comfy on all devices keeps on increasing. This leads to invention and expansion of HTM5 web technology. PHP Training in Chennai

    ReplyDelete
  10. Bed Bug Control Leesburg VA It is really a great and useful piece of information. I am glad that you shared this helpful info with us. Please keep us up to date like this. Thank you for sharing.

    ReplyDelete
  11. Latest Govt Bank Jobs 2016

    Thanks for providing valuable information in this article by author....................

    ReplyDelete
  12. This comment has been removed by the author.

    ReplyDelete
  13. I am reading ur post from the beginning, it was so interesting to read & i feel thanks to you for posting such a good blog, keep updates regularly.Best Hadoop Training Institute In Chennai

    ReplyDelete
  14. Nice article you might have carried out below. My business is truly happy to see that. This is the incredibly helpful matter. keep that you're selected it up.Support Page

    ReplyDelete
  15. physical therapy centreville va I am very happy to find this site. I wanted to thank you for this immense read!! I absolutely enjoying every petite bit of it and I have you bookmarked to test out new substance you post.

    ReplyDelete
  16. Virginia SEO Company I wanted to thank you for this great read!! I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post.

    ReplyDelete
  17. Great post with excellent applications for your business with affordable rates website designs service

    ReplyDelete
  18. The share your really gives us excitement. Thanks for your sharing. If you feel tired at work or study try to participate in our games to bring the most exciting feeling. Thank you!
    swords sand souls | ninjago games | hola launcher | subway surfers | cooking fever | red ball 4 | goodgame big farm | hola launcher apk | paradise bay king | | subway surfers game | red ball | big farm | strike force kitty 2

    ReplyDelete
  19. PHP is the best language to develop data driven websites. PHP is used by majority of the ecommerce websites. Learning PHP can give you a great future for sure.
    PHP training in Chennai | PHP course in Chennai | PHP training institute in Chennai

    ReplyDelete
  20. Dot net is a Microsoft product so it is the best language to develop applications for windows and it is supported well on the windows platform. Dot net is prefferd globally and a renowned platform with lots of job opportunities.
    Dot net training in Chennai | .NET training in Chennai | Dot net course in Chennai

    ReplyDelete

  21. I have completely read your post and the content is crisp and clear.Thank you for posting such an informative article, I have decided to follow your blog so that I can myself updated.
    Android training in Chennai | Android course in Chennai | Android training institute in Chennai

    ReplyDelete
  22. Excellant content. If you are interested in studying and knowing the details of SAS course visit this website. SAS is an analytical tool which is created by SAS system for the data storage and analytical purpose. It is an integrated software system that is used for data entry, retrieval and management of data.
    SAS Training in Chennai | SAS Course in Chennai

    ReplyDelete
  23. Mobile Locksmith in Brisbane H.A. REED offers mobile locksmith in Brisbane solutions with their efficient professionals. They have high-end computerized technological system that enables their representatives to pass the urgent request of their customer to the concern technician who is closer to the customer location.

    ReplyDelete
  24. • Good article! There is a great need for more in-depth reviews of certain products and technologies. Your tips are really helpful for anybody who wants to create reviews of any type. Great job. Thanks.
    ios training in chennai

    ReplyDelete
  25. Big Data is just a thought which empowers dealing with a generous measure of data sets. Hadoop has been just a singular structure out of numerous instruments. Hadoop is on a very basic level used for bunch to get ready.
    Regards,
    Hadoop Training in Chennai | Hadoop course in Chennai | Hadoop Training institutes in Chennai

    ReplyDelete
  26. This comment has been removed by the author.

    ReplyDelete
  27. Great article. This is very useful. Thanks for sharing.

    digital marketing training

    ReplyDelete
  28. Our Complete in depth Java training course takes you to TOP Level IT companies with high end package. Arcus Offers Java J2EE real time training with placement assurance..
    java training in chennai

    ReplyDelete
  29. A debt of gratitude is in order for the enlightening article. This is one of the best assets I have found in a long while. Pleasantly composed and incredible data. I truly can't thank you enough to share.
    Thanks,
    SAS Course in Chennai | SAS Institutes in Chennai | SAS Training Institutes in Chennai

    ReplyDelete
  30. Thanks for posting a helpful post. it really helped me for my website.

    Buy Facebook Likes

    ReplyDelete