A few days ago there was a post by 3APA3A about an exploit in PHPBB using poison null byte injection. For those of you who weren’t actively hacking in the 1990’s Rain Forrest Puppy came up with this technique in an article explaining common CGI exploitation techniques. RFP’s technique dealt with injecting a null byte at the end of a string, that was used for comparison. When the comparison failed (this will fail “root” == “root\0″) an operation is performed based on the input and since the null byte doesn’t do anything in other non comparison operations (like opening files for instance) it does so with higher privelages.
What 3APA3A disclosed on behalf of ShAnKaR is that PHP is also vulnerable to these same exploits. For some reason this strikes me as odd. One of the major lessons learned during the late 90’s during the PERL CGI script hay-days was that null byte injection must be detected and removed by stripping out erroneous null bytes from user input. It would have seemed safer to embed this sort of security into more functions without requring users to know anything about the form of exploitation.
If you didn’t do much security auditing or penetration testing in the 90’s this might seem fairly obscure, but I’ve found the problem in dozens of applications. I think PHP’s major benefit is that it made database integration much easier than PERL did (requring the correct DBI libraries) which makes null byte injection fairly less useful, but it’s certainly not gone, as this advisory explains. I guess the major issue with black box penetration testing is that it is fairly difficult to find what you are attempting to exploit in the first place without significant recon and even then you may not find what you are looking for. In the case of PHP most applications are open sourced these days, so it is fairly trivial to find exploitable code, just by downloading the most current revision.
I’ll be curious to see if this starts a rash of new forms of PHP exploitation. If I had more time to be auditing, I’m sure I could find a few places that used this type of string comparison to perform security operations. Good stuff coming from Russia!