PHP for Windows all version shell filtering bug

2004-06-08T00:00:00
ID SECURITYVULNS:DOC:6305
Type securityvulns
Reporter Securityvulns
Modified 2004-06-08T00:00:00

Description

Subject: PHP for Windows all version shell filtering bug Product: PHP for Windows all versions (4.3.1, 4.2.3, 3.0.17 tested with Windows 2000 SP3 all fixes + IIS) Vendor: php.net Risk: High (for affected systems) Remote: Yes Author: 3APA3A <3APA3A@security.nnov.ru>

Intro:

PHP is scripting language used by majority of web sites and available for almost any platform.

PHP provides few functions for escapiing shell characters from supplied argument to use in conjunction with system(), popen(), exec(), etc - escapeshellcmd() and escapeshellarg().

Problem:

escapeshellcmd() and escapeshellarg() fail to escape metacharacters for Windows.

Details:

escapeshellarg() quotes argument supplied with single quote (''), both functions prefixes all known shell characters with '\' character.

This approach doesn't work for Windows, because of at least 2 problems:

  1. \ only comments out shell character in double quote ("").

  2. Windows has different set of shell characters. For example, '%' character is not filtered by escape functions but may be used to call environment variable and to insert user supplied input, for example via %QUERY_STRING%.

Impact:

it's possible to use special shell characters, <>%|&. It will allow to read/write file (<>), execute arbitrary programs (|&).

Simple test.php:

<?php

$host1 = "localhost&dir"; $host2 = "localhost&dir . "

$arg = escapeshellcmd("ping $host1"); system($arg); $arg = escapeshellarg($host2); exec("ping $arg"); ?>

Exploitation:

PHP is not exploitable by itself. To exploit vulnerability any PHP script with escapeshellcmd()/escapeshellarg() is required on Windows platform. Examples of vulnerable PHP scripts are ones from PHP escapeshellcmd()/escapeshellarg() manual.