[Full-Disclosure] iDEFENSE Security Advisory 06.07.04: PHP Win32 escapeshellcmd() and escapeshellarg() Input Validation Vulnerability

PHP Win32 escapeshellcmd() and escapeshellarg() Input Validation
Vulnerability

iDEFENSE Security Advisory 06.07.04:
www.idefense.com/application/poi/display?id=108&type=vulnerabilities
June 7, 2004

I. BACKGROUND

PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
More information is available at http://www.php.net.

II. DESCRIPTION

Remote exploitation of an input validation vulnerability in The PHP
Group's HTML-embedded scripting language PHP allows attackers to bypass
security protections.

The problem specifically exists within the shell command escape routines
escapeshellcmd() and escapeshellarg(). These routines are intended for
escaping shell metacharacters that may be present in user-supplied data
prior to passing them to command execution routines such as system(),
passthru(), popen(), exec() or the backtick operator. While both filter
routines are functional on the Unix platform, they fail to filter all
characters on the Windows platform. The escapeshellcmd() routine fails
to filter the characters '%|>', allowing attackers to access environment
variables, redirect output and execute arbitrary commands. The
escapeshellarg() routine fails to filter the character '%', allowing an
attacker to access environment variables.

III. ANALYSIS

Exploitation allows attackers to compromise an affected system under the
web server's privileges. Systems are not vulnerable by default, as a
publicly accessible script must be present that utilizes one of the
affected routines with user-supplied data.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in PHP
version 4.3.6 running on Microsoft Windows platforms. It is suspected
that previous versions are also vulnerable.

V. WORKAROUND

Pass user-supplied data through custom character filters implemented
with str_replace() or preg_replace(). Example:

$user_supplied = preg_replace("/[>|%]/", "", $user_supplied);

VI. VENDOR RESPONSE

The input validation vulnerability inside escapeshellcmd() and
escapeshellarg() on Win32 platform has been resolved. A new PHP version
(4.3.7) immune to this vulnerability is due to be released on June 3rd,
2004.

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

04/05/03 Vulnerability acquired by iDEFENSE
05/07/04 iDEFENSE clients notified
05/07/04 Initial vendor notification
05/17/04 Initial vendor response
06/07/04 Public disclosure

IX. CREDIT

3APA3A is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [email protected] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

---

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html