[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: phpmyadmin / CVE-2016-5739.patch

Hi Brian

I do not think the plain output or XSS is the biggest problem. A bigger problem is remote execution of arbitrary php code.

I think there are few ways to make this a big problem.
Make the transformation point to ../../../somepath/somefile
 and then let that file actually contain <?php somenastycode();
Then you have remote execution on the host that have this phpmyadmin installed.

The only problem is that the attacker need to have access to the host to place a file somewhere. So this essentially just give an attacker permission of the webserver instead of the user. It can be seen as some kind of escalation though.
But maybe this is possible with some upload services that place things on /tmp for some time.

Another way is to make somepath/somefile point to something already installed on the system. This depends havily on what is already installed on the system.

Maybe it is possible to trigger some futher problem if somepath/somefile point to a binary that contain too much data. No clue is that can be an issue.

I find it a little tricky to exploit this but I see some possibilities.

My conclusion however is about the same as you. I do not think many are using the transformations so I think we can safely remove that.
Another option is to make a check for .. in the filename, because I think we can safely assume an attacher do not have write permission in the plugins directory, or can that be a problem too?

Best regards

// Ola

On Tue, 18 Dec 2018 at 07:41, Brian May <brian@linuxpenguins.xyz> wrote:
Ok, so as far as I can tell, looking at the version in wheezy, the
problem is that we load source files like so (there are two occurances
in the code that I can see, both very similar):

include_once $include_file;

Where include_file comes from:

$file = $mime_map[$meta->name]['transformation'];
$include_file = 'libraries/plugins/transformations/' . $file;

The problem being $mime_map is loaded from the database, and considered
untrusted, I think this is the source here:

PMA_getMIME($this->__get('db'), $this->__get('table'))

I don't fully understand this function yet, but I think it is safe to
say it generates filenames based on untrusted data from the database.

I am not sure what an attacker can do with include_once, but my guess is
that if you try to load a file that doesn't have a "<?php" marker, it
will add the entire contents to the HTML being output to HTTP -
e.g. send it to the attacker.

However an attacker would need to be able to login and have write access
to a database first before carrying out an attack.

The upstream solution seems to be to completely remove the
"include_once" statement and rely on the "autoloader" to load things. As
far as I can tell, this creates a "autoload.php" file at install time
which automatically lists all dependancies to be loaded without relying
on untrusted inputs.

Unfortunately, I don't think the wheezy version of phpmyadmin has this
autoloader support... So if we blindly manually applied the same patch,
I suspect we would end up disabling support transformations.

There is a reference to autoload.php in CVE-2016-2039.patch, but that is
documentation only.

Here is the upstream documentation on transformations:

I am wondering how important it is that we continue to support
transformations? I suspect not many users of phpmyadmin 4.2.12 would
actually use or want them... If so the easiest fix may be to remove
these lines.
Brian May <brian@linuxpenguins.xyz>

 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

Reply to: