I know a lot of what I do on this web site is related to RE and assembly and malware and such. It works fine. Today will be different. Today we’re going to rip apart some open source software.
The target today is Phoronix Test Suite. We’re going to find us some vulnerabilities, because I haven’t done that in a while.
Also you need root to run this test suite, so any time I can get code to run, its about the same as root compromise 🙂
Since this is a large pack of code, we’re going to be grouping the code by vulnerabilities found.
===XSS===
There’s A LOT of XSS in this suite. Here’s just a few grabbed from the base index.php of the common directories.
Line 120 of phoronix-test-suite\pts-core\phoromatic\export-public-viewer\index.php
<div id="config_option_line"> <form action="<?php $_SERVER['REQUEST_URI']; ?>" name="update_result_view" method="post"> Show Results For The Past <select name="view_results_limit" id="view_results_limit">
Line 107 of phoronix-test-suite\pts-core\web-interface\index.php
if($PAGE_REQUEST == $url || $URI == $url) { $new_header .= '<a href="?' . $url . '"><span class="dark_alt">' . $page . '</span></a> '; } else { if($custom_header && $page == 'Main') { $new_header .= '<a href="?' . $url . '"><span class="alt">' . $page . '</span></a> '; } else { $new_header .= '<a href="?' . $url . '">' . $page . '</a> '; } }
$URI is set earlier on line 39 as
$URI = substr($_SERVER['REQUEST_URI'], strpos($_SERVER['REQUEST_URI'], '?') + 1);
Line 200 of phoronix-test-suite\pts-core\phoromatic\pages\phoromatic_welcome.php
1 2 3 |
<div style="float: left; width: 25%;"><input type="hidden" name="seed_accountid" value="' . (isset($_GET['seed_accountid']) ? $_GET['seed_accountid'] : null) . '" /><input type="text" name="register_username" /> <sup>1</sup></div> |
===Code Exec===
Line 264 of /phoronix-test-suite/pts-core/phoromatic/public_html/phoromatic.php
1 2 3 4 |
if(is_file('../communication-resources/' . $REQUEST . '.php')) { require('../communication-resources/' . $REQUEST . '.php'); } |
Since we control the $REQUEST variable (the variable being a global representative of either GET or POST, as long as the file is real, we can include it. How do we exploit this? Throw some code into a request, then set the $request variable to /var/log/httpd/access.log that way it gets included as well as the code we added earlier.
How does one dork the internets for this? Easy!
1 2 3 |
<div id="pts_copyright">Copyright © 2008 - <?php echo date('Y'); ?> by Phoronix Media. All trademarks used are properties of their respective owners. All rights reserved. <strong> <?php echo pts_core::program_title(true); ?></strong></div> |
I skipped a ton of others to keep this short and sweet. I also mainly stuck to grep.
I hope you enjoyed my hax. Until next time.