Document Title: =============== Ferrari - PHP CGI Argument Injection (RCE) Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1562 Video: http://www.vulnerability-lab.com/get_content.php?id=1561 Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2015/08/07/ferraricom-simulationcenter-remote-code-execution-php-cgi-argument-injection Release Date: ============= 2015-08-07 Vulnerability Laboratory ID (VL-ID): ==================================== 1562 Common Vulnerability Scoring System: ==================================== 9.2 Product & Service Introduction: =============================== Users can choose from one in five different circuits (Monza, Imola, Mugello, Silverstone and Nürburgring), while HD screens literally wrap 180 degrees around them, delivering ultra-realistic graphics to boot. The experience perfectly illustrates the concept of the new Ferrari Store, which was opened just two months ago and was conceived not merely as a shopping destination but also as an entertainment venue. With four F1 simulators, interactive video walls and numerous multisensory positions, the new 750 square meter space treats visitors to a completely immersive experience of the Ferrari legend. (Copy of the Vendor Homepage http://auto.ferrari.com/en_EN/news-events/ ) Abstract Advisory Information: ============================== An indepndent vulnerability laboratory researcher discovered a remote code execution vulnerability in the official ferrari online service web-application. Vulnerability Disclosure Timeline: ================================== 2015-08-07: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Ferrari Product: Simulator - Online Service (Web-Application) 2015 Q3 Exploitation Technique: ======================= Remote Severity Level: =============== Critical Technical Details & Description: ================================ When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve code execution. From the advisory: ``if there is NO unescaped `=` in the query string, the string is split on `+` (encoded space) characters, urldecoded, passed to a function that escapes shell metacharacters (the ``encoded in a system-defined manner`` from the RFC) and then passes them to the CGI binary.`` This module can also be used to exploit the plesk 0day disclosed by kingcope and exploited in the wild on June 2013. (Source: http://www.rapid7.com/db/modules/exploit/multi/http/php_cgi_arg_injection) Proof of Concept (PoC): ======================= The remote code execution vulnerability can be exploited by remote attackers without privilege application user account or user interaction. For security demonstration or to reproduce follow the provided information and steps below to continue. How I found the vulnerability: As part of any penetration test, fingerprinting is one of the first steps. After sending a request to their servers, I noticed they used PHP/5.3.12 which is known to be vulnerable to a Command execution vulnerability. The Response: HTTP/1.1 302 Found Date: Wed, 16 Jun 2015 09:16:13 GMT Server: Apache Location: /book/ X-Powered-By: PHP/5.3.12 Vary: Accept-Encoding Content-Length: 0 Connection: close Content-Type: text/html I started testing for this vulnerability manually and noticed code execution could be performed. When makeing a POST request to: http://simulationcenter.ferrari.com/cgi-bin/php?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin.simulation%3Don+-d+disable_functions%3D%22%22+-d+ open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2F%2Finput+-d+cgi.force_redirect%3D0+-d+cgi.redirect_status_env%3D0+-n I noticed an error. http://i.imgur.com/lFPgpyn.png When sending some PHP script along with the POST request I noticed the script was executed. I sent this script: and the right hash was returned. I then did some automated testing with a metasploit script and this also gave positive results. The exploit script can be found here: http://www.rapid7.com/db/modules/exploit/multi/http/php_cgi_arg_injection The POC with both manual and automated exploitation can be found here: hhttps://www.youtube.com/watch?v=vv7SMWC08eI Solution - Fix & Patch: ======================= 2015-08-05 (fixed by ferrari) Security Risk: ============== The security risk of code execution web vulnerability in the ferrari simulator online service is estimated as critical. (CVSS 9.2) Credits & Authors: ================== Kieran Claessens (www.kieranclaessens.be) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ # Iranian Exploit DataBase = http://IeDb.Ir [2015-08-09]