RedTeam

It’s advisory time again:

• RT-SA-2009-005: Papoo CMS: Authenticated Arbitrary Code Execution

This one’s nice because you can do your exploit development in Gimp. The idea is to plant your exploit code (in this case, PHP code) in a file with a valid GIF header and the file extension .php. Papoo CMS only sees the valid GIF header and let’s the user upload the file, as it is deemed harmless. The web server on the other hand will parse the file as PHP code because of the file extension -> instant remote code execution. The PoC in the advisory only creates a file with a minimal GIF header content, but if you need a valid GIF, just add the PHP code to the GIF comment section. You’ll be limited to 240 characters though.

Adding PHP code to a GIF comment in Gimp

The idea of embedding code in GIFs is not new but still works surprisingly well. So remember: always make sure that you look at both the header and the file extension when dealing with untrusted files (at least if your web server decides by file extension how to parse files).

BTW, another neat exploit along the lines of the above is the GIFAR attack which was presented at last year’s BlackHat.

[Update]
HD Moore adds in reply to windexh8er’s tweet the fun fact that Apache treats files like file.php.gif as PHP code and not as a GIF. Very true.

[2nd Update]
As you can see, HD also added his remark to this blog’s comments, which unfortunately got caught in the spam filter so I didn’t see it when posting the first update. I guess I’ll have to whitelist you HD ;).