I know a lot of what I do on this web site is related to RE and assembly and malware and such. It works fine. Today will be different. Today we’re going to rip apart some open source software.
The target today is Phoronix Test Suite. We’re going to find us some vulnerabilities, because I haven’t done that in a while.
Also you need root to run this test suite, so any time I can get code to run, its about the same as root compromise 🙂
Since this is a large pack of code, we’re going to be grouping the code by vulnerabilities found.
There’s A LOT of XSS in this suite. Here’s just a few grabbed from the base index.php of the common directories.
Line 120 of phoronix-test-suite\pts-core\phoromatic\export-public-viewer\index.php
Line 107 of phoronix-test-suite\pts-core\web-interface\index.php
$URI is set earlier on line 39 as
Line 200 of phoronix-test-suite\pts-core\phoromatic\pages\phoromatic_welcome.php
Line 264 of /phoronix-test-suite/pts-core/phoromatic/public_html/phoromatic.php
Since we control the $REQUEST variable (the variable being a global representative of either GET or POST, as long as the file is real, we can include it. How do we exploit this? Throw some code into a request, then set the $request variable to /var/log/httpd/access.log that way it gets included as well as the code we added earlier.
How does one dork the internets for this? Easy!
I skipped a ton of others to keep this short and sweet. I also mainly stuck to grep.
I hope you enjoyed my hax. Until next time.