{"id":1203,"date":"2016-02-13T07:03:45","date_gmt":"2016-02-13T07:03:45","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=1203"},"modified":"2016-02-13T19:48:26","modified_gmt":"2016-02-13T19:48:26","slug":"and-now-for-something-completely-different","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2016\/02\/and-now-for-something-completely-different\/","title":{"rendered":"And now for something completely different"},"content":{"rendered":"

I know a lot of what I do on this web site is related to RE and assembly and malware and such. It works fine. Today will be different. Today we’re going to rip apart some open source software.<\/p>\n

\"1443653478726\"<\/a><\/p>\n

The target today is Phoronix Test Suite<\/a>. We’re going to find us some vulnerabilities, because I haven’t done that in a while.<\/p>\n

Also you need root to run this test suite, so any time I can get code to run, its about the same as root compromise \ud83d\ude42<\/p>\n

Since this is a large pack of code, we’re going to be grouping the code by vulnerabilities found.<\/p>\n

===XSS===<\/p>\n

There’s A LOT of XSS in this suite. Here’s just a few grabbed from the base index.php of the common directories.<\/p>\n

Line 120 of phoronix-test-suite\\pts-core\\phoromatic\\export-public-viewer\\index.php<\/p>\n

<\/p>\n

\n
<div id="config_option_line"<\/span>>\r\n<form action="<?php $_SERVER['REQUEST_URI']; ?>"<\/span> name="update_result_view"<\/span> method="post"<\/span>>\r\nShow Results For The Past <select name="view_results_limit"<\/span> id="view_results_limit"<\/span>>\r\n<\/pre>\n<\/div>\n
Line 107 of phoronix-test-suite\\pts-core\\web-interface\\index.php<\/p>\n
<\/p>\n
\n
if<\/span>($PAGE_REQUEST == $url || $URI == $url)\r\n {\r\n\t$new_header .= '<a href="?'<\/span> . $url . '"><span class="dark_alt">'<\/span> . $page . '<\/span><\/a> '<\/span>;\r\n}\r\nelse<\/span>\r\n{\r\n\tif<\/span>($custom_header && $page == 'Main'<\/span>)\r\n\t{\r\n\t\t$new_header .= '<a href="?'<\/span> . $url . '"><span class="alt">'<\/span> . $page . '<\/span><\/a> '<\/span>;\r\n\t}\r\n\telse<\/span>\r\n\t{\r\n\t\t$new_header .= '<a href="?'<\/span> . $url . '">'<\/span> . $page . '<\/a> '<\/span>;\r\n\t}\r\n}\r\n<\/pre>\n<\/div>\n
$URI is set earlier on line 39 as <\/p>\n
<\/p>\n
\n
$URI = substr($_SERVER['REQUEST_URI'<\/span>], strpos($_SERVER['REQUEST_URI'<\/span>], '?'<\/span>) + 1);\r\n<\/pre>\n<\/div>\n
Line 200 of phoronix-test-suite\\pts-core\\phoromatic\\pages\\phoromatic_welcome.php<\/p>\n
<\/p>\n
\n\n\n
\n
1\r\n2\r\n3<\/pre>\n<\/td>\n
\n
<div style="float: left; width: 25%;"<\/span>><input type="hidden"<\/span> name="seed_accountid"<\/span> value="' . <\/span>\r\n(isset($_GET['seed_accountid']) ? $_GET['seed_accountid'] : null) . '"<\/span> \/><input type="text" name="register_username" \/<\/span>> \r\n<sup><\/span>1<\/sup><\/div><\/span>\r\n<\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n
===Code Exec===<\/p>\n
Line 264 of \/phoronix-test-suite\/pts-core\/phoromatic\/public_html\/phoromatic.php<\/p>\n
<\/p>\n
\n\n\n
\n
1\r\n2\r\n3\r\n4<\/pre>\n<\/td>\n
\n
if<\/span>(is_file('..\/communication-resources\/'<\/span> . $REQUEST . '.php'<\/span>))\r\n{\r\n\trequire('..\/communication-resources\/'<\/span> . $REQUEST . '.php'<\/span>);\r\n}\r\n<\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n
Since we control the $REQUEST variable (the variable being a global representative of either GET or POST, as long as the file is real, we can include it. How do we exploit this? Throw some code into a request, then set the $request variable to \/var\/log\/httpd\/access.log that way it gets included as well as the code we added earlier. <\/p>\n
How does one dork the internets for this? Easy!<\/p>\n
<\/p>\n
\n\n\n
\n
1\r\n2\r\n3<\/pre>\n<\/td>\n
\n
<div<\/span> id=<\/span>"pts_copyright"<\/span>><\/span>Copyright &#xA9; 2008 - <?php echo date('Y'); ?><\/span> by Phoronix Media. \r\nAll trademarks used are properties of their respective owners. All rights reserved. <strong><\/span>\r\n<?php echo pts_core::program_title(true); ?><\/span><\/strong><\/div><\/span>\r\n<\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n
I skipped a ton of others to keep this short and sweet. I also mainly stuck to grep.<\/p>\n
I hope you enjoyed my hax. Until next time.<\/p>\n
\n