PHPDev5 System-Call Local Denial-of-Service Explained

What this paper is

This paper describes a Proof-of-Concept (PoC) exploit for PHPDev 5, a development environment that bundles Apache, PHP, and MySQL. The exploit targets a vulnerability that allows an attacker to cause a local Denial-of-Service (DoS) by triggering a system call.

Simple technical breakdown

The core of the vulnerability lies in how PHPDev 5 handles user-supplied input when executing system commands. The PoC code uses the system() function in PHP, which is designed to execute external commands. If an attacker can control the argument passed to system(), they can potentially execute arbitrary commands or, in this case, cause a DoS by providing a command that consumes excessive resources or crashes the server process.

The exploit leverages a variable named $Ali7 which is not properly sanitized or validated before being passed to the system() function. By setting this variable to a value that causes a problematic system call, the attacker can disrupt the service.

Complete code and payload walkthrough

The provided code is extremely concise.

<?
system($Ali7);
?>

Let's break this down:

• <? and ?>: These are standard PHP opening and closing tags, indicating that the enclosed code is to be interpreted as PHP.
• system($Ali7);: This is the critical line.
  • system(): This is a built-in PHP function that executes an external program and displays the output. It takes a string argument representing the command to be executed.
  • $Ali7: This is a PHP variable. In this PoC, its value is not defined within the script itself. This implies that the exploit relies on the variable being set externally, likely through HTTP request parameters (e.g., GET or POST data) or potentially through environment variables if the PHP configuration allows.

Mapping:

• <? ... ?>: PHP script block.
• system($Ali7);: Executes a system command whose name is stored in the $Ali7 variable.

Payload Explanation:

The "payload" in this context isn't a traditional shellcode. Instead, it's the value that the attacker would provide for the $Ali7 variable. The paper doesn't explicitly state what value for $Ali7 causes the DoS. However, a common technique for DoS via system() is to provide a command that:

1. Runs indefinitely: Like ping -t localhost (on Windows, -t makes ping continuous).
2. Consumes excessive resources: Such as a loop that creates many processes or fills up disk space.
3. Triggers a known bug: A specific command that is known to crash the underlying operating system or the Apache process.

Without further information from the original paper or a more detailed PoC, the exact command that causes the DoS via $Ali7 remains unknown. The exploit's effectiveness depends entirely on what command the attacker can inject into $Ali7.

Practical details for offensive operations teams

• Required Access Level: Local access to the server's file system is required to upload the .php or .php3 file. Network access to the web server is required to trigger the exploit.
• Lab Preconditions:
  • A vulnerable PHPDev 5 installation (likely an older version from around 2005).
  • Apache web server running with PHP enabled.
  • The attacker needs to be able to upload a file to a directory that is served by Apache and can be executed by PHP.
• Tooling Assumptions:
  • A web browser or a tool like curl to send HTTP requests.
  • A way to upload the .php file (e.g., FTP, SCP, or a web-based upload form if available).
• Execution Pitfalls:
  • Variable Injection: The primary challenge is reliably injecting a malicious command into the $Ali7 variable. This would depend on how PHPDev 5 (or the specific Apache/PHP configuration) processes incoming requests and populates PHP variables. If $Ali7 is not exposed via GET/POST parameters or other predictable means, the exploit may fail.
  • PHP Configuration: The system() function might be disabled in php.ini for security reasons, especially in older configurations.
  • Input Sanitization: Modern PHP versions and frameworks have much more robust input sanitization, making this type of direct system() call vulnerability rare.
  • Target Version: This exploit is highly specific to PHPDev 5 and likely older versions of PHP/Apache. Newer versions would have patched this or similar vulnerabilities.
  • DoS vs. RCE: While this paper focuses on DoS, the underlying vulnerability (untrusted input to system()) could potentially lead to Remote Code Execution (RCE) if a more sophisticated payload were crafted and the environment allowed it.
• Tradecraft Considerations:
  • Stealth: Uploading a .php file to a web server can be detected by file integrity monitoring or web server logs. The HTTP requests to trigger the exploit would also be logged.
  • Persistence: This is a transient DoS; it doesn't provide persistence. Once the server is restarted or the process is killed and restarted, the service might recover.
  • Lateral Movement: This exploit is local to the machine running PHPDev 5. It does not inherently provide a path for lateral movement unless the compromised machine is a critical pivot point.

Where this was used and when

• Context: This exploit targets the PHPDev 5 development environment. It was likely used by individuals or groups testing the security of this specific software package.
• When: The paper was published on March 17, 2005. Therefore, the vulnerability and its exploitation would have occurred around this time. This exploit is specific to a particular software version from that era.

Defensive lessons for modern teams

• Input Validation is Paramount: Never trust user input. All data coming from external sources (web requests, files, network sockets) must be rigorously validated and sanitized before being used in sensitive operations, especially system calls.
• Avoid Direct System Calls with Untrusted Input: Functions like system(), exec(), shell_exec(), passthru(), and popen() should be used with extreme caution. If they must be used, ensure the input is strictly controlled and whitelisted.
• Principle of Least Privilege: Run web servers and applications with the minimum necessary privileges. This limits the impact of a successful exploit.
• Keep Software Updated: PHPDev 5 is an old, likely unsupported, software package. Running outdated software is a significant security risk. Regularly update all components of your web stack (OS, web server, PHP, database, applications).
• Web Application Firewalls (WAFs): WAFs can help detect and block malicious requests that attempt to exploit vulnerabilities like this, by identifying suspicious patterns in input.
• Monitoring and Logging: Implement robust logging for web server access and PHP execution. Monitor these logs for unusual activity, such as unexpected file uploads or requests that might indicate an exploit attempt.

ASCII visual (if applicable)

This exploit is a simple script execution, so a complex architecture diagram isn't strictly necessary. However, we can visualize the flow of data:

+-----------------+       +-----------------+       +-----------------+
| Attacker's      | ----> | Web Server      | ----> | PHP Interpreter |
| Machine         |       | (Apache + PHP)  |       | (PHPDev 5)      |
+-----------------+       +-------+---------+       +--------+--------+
                                   |                        |
                                   | (HTTP Request)         | (system($Ali7))
                                   |                        |
                                   v                        v
                           +-----------------+       +-----------------+
                           | Malicious       | ----> | OS / Kernel     |
                           | Command String  |       | (System Call)   |
                           | (in $Ali7)      |       +-----------------+
                           +-----------------+

Explanation:

1. The attacker sends an HTTP request to the web server.
2. This request contains data that, when processed by PHP, sets the $Ali7 variable.
3. The PHP interpreter executes system($Ali7), passing the attacker-controlled string as a command.
4. The operating system kernel attempts to execute this command, potentially leading to a DoS.

Source references

• Paper ID: 888
• Paper Title: phpDEV5 - System-Call Local Denial-of-Service
• Author: Ali7
• Published: 2005-03-17
• Keywords: Windows,dos
• Paper URL: https://www.exploit-db.com/papers/888
• Raw URL: https://www.exploit-db.com/raw/888

Original Exploit-DB Content (Verbatim)

------------------------------------------------------------------------
# PHPDev5 <== Apache Server Local Denial-of-Service PoC
# By : Ali7
# e-mail : ali7@hotmail.co.uk
# date : 16-03-2k5
# greetz : our group :P
 

>Target : PHPDev 5
>URL : www.firepages.com.au - http://sourceforge.net/projects/phpdev5/
>Type : PHP/Apache/MySQL Server..
..
 
>>PoC Sample :
 
Save this code as .php or .php3 file..
 
//start
 
<?

system($Ali7);

?>
 
//end

# milw0rm.com [2005-03-17]