PHPMemcachedAdmin Remote Code Execution - CVE-2014-8731 PoC

In the year 2014, a remote code execution vulnerability was discovered in a popular PHP application called PHPMemcachedAdmin (CVE-2014-8731).

I stumbled upon this vulnerability and wrote an exploit for it. Read this for a deep dive.

Remote Code Execution (RCE)

Remote code execution (RCE) is a type of attack that allows attackers to execute arbitrary code on a target system. This can be achieved by exploiting a vulnerability in a web application or other software running on the system. RCE attacks can have serious consequences, such as allowing the attacker to gain unauthorized access to sensitive information, modify or delete data, or even take control of the entire system.

One common method of achieving RCE is through the use of PHP code injection. PHP is a widely used server-side scripting language that is often used in web development. By injecting PHP code into a web application, an attacker can execute arbitrary code on the target system. This is typically done by submitting malicious input to the web application, which is then executed by the PHP interpreter on the server.

Bug

The vulnerability exists due to the way the application handles user input, specifically the cluster parameter passed in a GET request and the live_stats_id cookie. By carefully setting these values, an attacker can create a file in the web directory of the server and use this file to execute arbitrary code on the server.

An extract of the vulnerable code (file can be seen here:

# Hashing cluster
$hash = md5($_REQUEST['cluster']);

# Cookie
if (! isset($_COOKIE['live_stats_id' . $hash])) {
    // ...
} else {
    # Backup from a previous request
    $live_stats_id = $_COOKIE['live_stats_id' . $hash];
}

# Live stats dump file
$file_path = rtrim($_ini->get('file_path'), '/') . DIRECTORY_SEPARATOR . 'live_stats.' . $live_stats_id;

In this code, the $hash variable is set to the MD5 hash of the cluster parameter passed in the GET request. The cookie live_stats_id is then set to the concatenation of this $hash value and the $live_stats_id variable. This allows an attacker to control the cookie value by setting the cluster parameter in the GET request.

Next, the $file_path variable is set to the concatenation of the $live_stats_id value and the string “live_stats.”, which allows an attacker to control the file path that is created on the server. By setting the $live_stats_id and cluster values in a carefully crafted manner, an attacker can create a file in the web directory of the server.

This vulnerability can be a serious security issue for servers that are running the vulnerable application. Administrators of affected servers should take steps to protect their systems from this vulnerability.

Exploit

The proof of concept (PoC) script works in three steps. First, it configures a fake cluster with a cluster name that holds malicious PHP code.

In the second step, the script uses the exact same cluster name to request statistics from the web application. This causes the server to drop a file containing the malicious PHP code.

In the last step, the script calls the dropped PHP shell using the given command as a parameter. The script then displays the output of the response, which is the result of the PHP code being executed on the server including some php serialize text around it. This allows the attacker to gain access to the target system and execute arbitrary code.

References

• Proof of concept (PoC) script on Github
• Vulnerable code on Github
• CVE-2014-8731 on nvd.nist.gov
• A comment in a hacker forum that explains the bug

Back to posts