Exploiting PHP Upload forms with CVE-2015-2348

4:06 AM

Today I would like to post about a recent bug I have found in PHP, CVE-2015-2348.
This bug is fairly severe. (considering the amount of developers affected).
I have to admit checking the file extension and saying a file is safe can still cause many
other security issues. However, checking for this exact vulnerability in your code is pretty
unrealistic, considering it can pass the Content-Type, Extension, Mime type, size checks...
etc won't save you from this.

The issue occurs in the very popular move_uploaded_files php function that is used to handle
uploaded files most of the time. This function checks to ensure that the file designated by
filename is a valid upload file (meaning that it was uploaded via PHP's HTTP POST upload
mechanism). If the file is valid, it will be moved to the filename given by destination.

Example:

move_uploaded_file ( string $filename , string $destination )

The problem with it is that there is a way to insert null-bytes (fixed multiple times before,
i.e: CVE-2006-7243). Using null-bytes an attacker can convince an upload box to ignore
extension checks and that the file is fairly safe and valid and upload malicious files that
can cause RCE. using the character \x00

I am going to take DVWA for an example here. DVWA's highest level is meant to be unbroken
for number of issues. the high upload box is meant to teach developers the safe way of handling
a safe upload. Lets just exploit that.

Here is the code snippet from https://github.com/RandomStorm/DVWA/blob/master/
vulnerabilities/upload/source/high.php:

$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1);
$uploaded_size = $_FILES['uploaded']['size'];

if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" ||
$uploaded_ext == "JPEG") && ($uploaded_size < 100000)){

if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {

$html .= '';
$html .= 'Your image was not uploaded.';
$html .= ''; }
else {
$html .= $target_path . ' succesfully uploaded!';
.
.

This is yes vulnerable to number of exploits (like XSCH, XSS and more), but not RCE.
Because since PHP 5.3.1 Null bytes are deprecated.

The problem with DVWA is that its passing user provided name to the move_uploaded_file()

Expected behavior for PHP to create:

move_uploaded_file($_FILES['name']['tmp_name'],"/file.php\x00.jpg")

That file should have created the file "file.php\x00.jpg"

Reality creates: file.php

This clearly bypasses the extension check. It has been proven many times the GD libraries
can also be defeated ( getimagesize(), imagecreatefromjpeg()... ),
read this by @secgeek for example.

Now even if you have had done multiple checks for this, it will be highly unlikely you blacklisted
the char \x00 so most upload forms running PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x
before 5.6.7 are vulnerable for this particular attack.

Conclusion:

If you are on a vulnerable server, update homie!


You Might Also Like

50 comments

  1. Great finding (y)

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. why my comment removed it really doesn't work on php 5.5.14 ! you only want hats off and nice job ? what environment did you test on ?

      Delete
    2. Hey sorry.

      I didn't mean to remove your comment, sorry I taught you were trolling. I haven't tried this null byte injection in Mac. I know for a fact this won't work on windows because windows can't create filenames with \ in them to begin with. Anyway, I have tested it and looks like you were right. the $_FILES['uploaded']['name'] truncates the null bytes. that isn't meant to happen. My point was indicating move_uploaded_files(). That is probably another bug $_FILES['uploaded']['name'] is also swallowing nullbytes, but could be intentional.

      Delete
  3. I wonder how can you exploit it on dvwa ??? (test on php 5.3.3)
    On variable $_FILES['uploaded']['name'], null byte was truncated, so the variable $uploaded_ext will be ".php", unable to pass through the first "if" statement.

    ReplyDelete
    Replies
    1. refer to the reply before yours!

      Delete
  4. I need wu bug in ghana and money gram payment to Ghana i can pick it up and send your share via bit coin

    ReplyDelete
  5. i forgot to add my email is jeffblis@yahoo.com we can also do other business if you're interested im in Ghana there is a lot we ca do i will never fail to give you your money after each deal.

    ReplyDelete
  6. Hello I was try it on Metasploitable 2, when uploading file named shadow.php\x00.jpg process succes, but the file saved as x00.jpg not shadow.php
    what should I do?

    ReplyDelete
    Replies
    1. You didn't do anything wrong. we just recently figure out some versions of PHP also do truncate the file name before the if statement (check the commentes). don't know which exact versions. But apparently Metasploitable must be one of them.

      Delete
  7. Nice post! it was helpful!

    ReplyDelete
  8. on php 5.3.5 and works fine & thanks for sharing.

    ReplyDelete
  9. Latest Govt Bank Jobs 2016

    Thanks for providing valuable information in this article by author....................

    ReplyDelete
  10. This comment has been removed by the author.

    ReplyDelete
  11. Nice article you might have carried out below. My business is truly happy to see that. This is the incredibly helpful matter. keep that you're selected it up.Support Page

    ReplyDelete
  12. physical therapy centreville va I am very happy to find this site. I wanted to thank you for this immense read!! I absolutely enjoying every petite bit of it and I have you bookmarked to test out new substance you post.

    ReplyDelete
  13. Great post with excellent applications for your business with affordable rates website designs service

    ReplyDelete
  14. The share your really gives us excitement. Thanks for your sharing. If you feel tired at work or study try to participate in our games to bring the most exciting feeling. Thank you!
    swords sand souls | ninjago games | hola launcher | subway surfers | cooking fever | red ball 4 | goodgame big farm | hola launcher apk | paradise bay king | | subway surfers game | red ball | big farm | strike force kitty 2

    ReplyDelete
  15. PHP is the best language to develop data driven websites. PHP is used by majority of the ecommerce websites. Learning PHP can give you a great future for sure.
    PHP training in Chennai | PHP course in Chennai | PHP training institute in Chennai

    ReplyDelete
  16. Dot net is a Microsoft product so it is the best language to develop applications for windows and it is supported well on the windows platform. Dot net is prefferd globally and a renowned platform with lots of job opportunities.
    Dot net training in Chennai | .NET training in Chennai | Dot net course in Chennai

    ReplyDelete
  17. Excellant content. If you are interested in studying and knowing the details of SAS course visit this website. SAS is an analytical tool which is created by SAS system for the data storage and analytical purpose. It is an integrated software system that is used for data entry, retrieval and management of data.
    SAS Training in Chennai | SAS Course in Chennai

    ReplyDelete
  18. Mobile Locksmith in Brisbane H.A. REED offers mobile locksmith in Brisbane solutions with their efficient professionals. They have high-end computerized technological system that enables their representatives to pass the urgent request of their customer to the concern technician who is closer to the customer location.

    ReplyDelete
  19. • Good article! There is a great need for more in-depth reviews of certain products and technologies. Your tips are really helpful for anybody who wants to create reviews of any type. Great job. Thanks.
    ios training in chennai

    ReplyDelete
  20. Big Data is just a thought which empowers dealing with a generous measure of data sets. Hadoop has been just a singular structure out of numerous instruments. Hadoop is on a very basic level used for bunch to get ready.
    Regards,
    Hadoop Training in Chennai | Hadoop course in Chennai | Hadoop Training institutes in Chennai

    ReplyDelete
  21. This comment has been removed by the author.

    ReplyDelete
  22. Great article. This is very useful. Thanks for sharing.

    digital marketing training

    ReplyDelete
  23. Thanks for posting a helpful post. it really helped me for my website.

    Buy Facebook Likes

    ReplyDelete
  24. I was working on the responsive design and this article provided me the lot of information about designing of website. Using this information i can create the look and feel websites.
    PHP Training in Chennai | PHP Course in Chennai

    ReplyDelete
  25. Great and nice blog thanks sharing..I just want to say that all the information you have given here is awesome...
    Android Training in Velachery
    ios Training in Velachery

    ReplyDelete
  26. Nice article you might have carried out below. My business is truly happy to see that. This is the incredibly helpful matter.want to build your website.
    White Label Website Builder

    ReplyDelete
  27. Thanks for posting a helpful post. it really helped me for my website. I am going to share it on social media. Get the christmas crackers in chennai.

    ReplyDelete
  28. This information is very impressive; I am inspired with your blog writing style & how continuously you describe this topic. Thanks for taking the time to discuss this. No.1 CCNA Training in Chennai | No.1 CCNP Training in Chennai | Six Sigma Training in Chennai

    ReplyDelete
  29. "I very much enjoyed this article.Nice article thanks for given this information. i hope it useful to many pepole.php jobs in hyderabad.
    "

    ReplyDelete
  30. Thanks for sharing this informative news with us. Keep updating.

    php training institute in chennai

    ReplyDelete
  31. "Great blog created by you. I read your blog, its best and useful information. You have done a great work. Super blogging and keep it up.php jobs in hyderabad.
    "

    ReplyDelete
  32. Needed to compose you a very little word to thank you yet again regarding the nice suggestions you’ve contributed here.

    Java Training in Bangalore

    ReplyDelete
  33. Thank you for the writing a good article and it helps me a lot. Buy the Cold Pressed Oil in India.

    ReplyDelete
  34. You have provided really awesome blog for learners. Then check it once through Devops Online Training Bangalore for more information.

    ReplyDelete

Note: Only a member of this blog may post a comment.