Massaro Posted November 11, 2015 Report Share Posted November 11, 2015 # Date: 06.11.2015# Title: Google AdWords API PHP client library <= 6.2.0 Arbitrary PHP Code Execution# Exploit Author: Dawid Golunski# Vendor Homepage: https://developers.google.com/adwords/api/docs/clientlibraries# Software Link: https://github.com/googleads/googleads-php-lib# Version: <=6.2.0=============================================- Release date: 06.11.2015- Discovered by: Dawid Golunski- Severity: Medium/High=============================================I. VULNERABILITY-------------------------Google AdWords API PHP client library <= 6.2.0 Arbitrary PHP Code Execution(googleads-php-lib)II. BACKGROUND-------------------------- AdWords APIhttps://developers.google.com/adwords/api/docs/"The AdWords API is a collection of web services that you can use to build applications that manage AdWords accounts and their associated campaign data.While the AdWords API is based on SOAP 1.1, high-level client libraries are provided to help you develop applications more quickly."AdWords API client libraries are available for different platformssuch as PHP, .NET, Java etc. These can be found at:https://developers.google.com/adwords/api/docs/clientlibrariesIII. INTRODUCTION-------------------------The Google AdWords API client library for PHP contains a WSDL Interpreterclass which is described in a comment within the source code as:"* The main class for handling WSDL interpretation. * * The WSDLInterpreter is utilized for the parsing of a WSDL document for rapid * and flexible use within the context of PHP 5 scripts."The class contains a function savePHP() which allows to convert the WSDL document received from a remote end into a PHP file. The funcion is vulnerable to Path Traversal and Code Execution vulnerabilities.IV. DESCRIPTION-------------------------googleads-php-lib contains the following function which is meant to load WSDL document (XML data) from a remote Google AdWords server:---[ build_lib/WSDLInterpreter/WSDLInterpreter.php ]--- protected function loadWsdl($wsdlUri, $proxy = null) { // Set proxy. if ($proxy) { $opts = array( 'http' => array( 'proxy' => $proxy, 'request_fulluri' => true ) ); $context = stream_context_get_default($opts); libxml_set_streams_context($context); } $this->dom = new DOMDocument(); $this->dom->load($wsdlUri, LIBXML_DTDLOAD|LIBXML_DTDATTR|LIBXML_NOENT|LIBXML_XINCLUDE);-------------------------------------------------------For security reasons Google AdWords API should only be accessed via HTTPS. However, the above code does not set appropriate SSL settings on the https:// stream context. It fails to assign Certificate Authority (CA), turn the verify_peer option to ON, specify allowed ciphers etc.It uses the stream_context_get_default() function to get the default context,which on all PHP versions below PHP 5.6.x (see references), does not validate the CA by default. Because of this, application may retrieve data from untrusted sources pretending to be adwords.google.com.Further on, the WSDLInterpreter class contains the following savePHP function:---[ build_lib/WSDLInterpreter/WSDLInterpreter.php ]--- /** * Saves the PHP source code that has been loaded to a target directory. * * Services will be saved by their validated name, and classes will be * included with each service file so that they can be utilized independently. * * @param array $options Options for the SoapClient */ public function __construct($wsdl, $options, $user) { $options["classmap"] = self::$classmap; parent::__construct($wsdl, $options, $user, self::SERVICE_NAME, self::WSDL_NAMESPACE); } }}----------------------------------------If such class gets included it will execute the malicious code due to the injected __destruct() method, which creates /tmp/adwrods_api_hacked file.At this point the attacker can control the name of the class (through service name), the path to the resulting PHP file, and is also able to inject any PHP code.Going further, He could also close the class definition statement and write an arbitrary PHP code in the main file. This would allow the attacker to create a stand alone script which he could request remotely via the Web server if he managed save it within the webroot. In this way the attacker could create a stand alone PHP command shell and getaccess to the system.VI. BUSINESS IMPACT-------------------------The severity of this issue is lowered to medium/high as despite the possibilityto execute arbitrary code, the attacker must impersonate adwords.google.comserver to be able to inject malicious XML. If there is a possibility for such an attack, the severity of the issuecan grow to high/critical.VII. SYSTEMS AFFECTED-------------------------Google AdWords API PHP client library in versions up to 6.2.0 contain the vulnerable WSDLInterpreter code.VIII. SOLUTION-------------------------Upgrade Google AdWords API PHP client library to the latest version.IX. REFERENCES-------------------------This advisory:[url]http://legalhackers.com/advisories/Google-AdWords-PHP-Client-library-PHP-Code-Execution.txt[/url]Related, Google AdWords API client libraries - XML eXternal Entity Injection (XXE) vuln:[url]http://legalhackers.com/advisories/Google-AdWords-API-libraries-XXE-Injection-Vulnerability.txt[/url][url]https://github.com/googleads/googleads-php-lib[/url][url]https://github.com/googleads/googleads-php-lib/blob/master/ChangeLog.md[/url][url]https://developers.google.com/adwords/api/docs/[/url][url]https://developers.google.com/adwords/api/docs/clientlibraries[/url]PHP 5.6.x openssl certificates in PHP streams:[url]http://php.net/manual/en/migration56.openssl.php[/url]X. CREDITS-------------------------The vulnerability has been discovered by Dawid Golunskidawid (at) legalhackers (dot) com[url]http://legalhackers.com[/url]XI. REVISION HISTORY-------------------------May 18th, 2015: Advisory created and sent to Google Security TeamNov 5th, 2015: Google, after half a year, confirm the vulnerability has been patchedNov 6th, 2015: Advisory released publiclyXII. LEGAL NOTICES-------------------------The information contained within this advisory is supplied "as-is" withno warranties or guarantees of fitness of use or otherwise. I accept noresponsibility for any damage caused by the use or misuse of this information.. Quote Link to comment Share on other sites More sharing options...