Snoopy Remote Code Execution Vulnerability

SEC-CONSULT Security Advisory 20051025-0

======================================================================

title: Snoopy Remote Code Execution Vulnerability

program: Snoopy PHP Webclient

vulnerable version: 1.2 and earlier

homepage: snoopy.sourceforge.net

found: 2005-10-10

by: D. Fabian / SEC-CONSULT / www.sec-consult.com

======================================================================

 

vendor description:

---------------

 

Snoopy is a PHP class that simulates a web browser. It automates the

task of retrieving web page content and posting forms, for example.

 

Snoopy is used by various RSS parser, which are in turn used in a

whole bunch of applications like weblogs, content management systems,

and many more.

 

 

vulnerabilty overview:

---------------

 

Whenever an SSL protected webpage is requested with one of the many

Snoopy API calls, it calls the function _httpsrequest which takes

the URL as argument. This function in turn calls the PHP-function

exec with unchecked user-input. Using a specially crafted URL, an

attacker can supply arbitrary commands that are executed on the web

server with priviledges of the web user.

 

While the vulnerability can not be exploited using the Snoopy class

file itself, there may exist implementations which hand unchecked

URLs from users to snoopy.

 

 

proof of concept:

---------------

 

Consider the following code on a webserver:

--- code ---
<?
include "Snoopy.class.php";
$snoopy = new Snoopy;

$snoopy->fetch($_GET['url']);
echo "<PRE>\n";
print $snoopy->results;
echo "</PRE>\n";
?>
--- /code ---

 

Requesting this code with a manipulated URL results in execution

of arbitrary code (in this case "echo 'hello' > test.txt"). Please

consider the following url one line:

http:// server/fetch.php?url=https://www.%22;+echo+'hello'+%3E+test.txt

 

 

vulnerable versions:

---------------

 

It seems that version 1.2 as well as some prior versions are vulnerable

to the attack described above.

 

recommended fix:

---------------

 

Update to Snoopy version 1.2.1.

 

 

vendor status:

---------------

vendor notified: 2005-10-24

vendor response: 2005-10-24

patch available: 2005-10-24

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Blindengasse 3

A-1080 Wien

Austria

 

Tel.: +43 / 1 / 409 0307 - 570

Fax.: +43 / 1 / 409 0307 - 590

Mail: office at sec-consult dot com

www.sec-consult.com

 

EOF Daniel Fabian / @2005

d.fabian at sec-consult dot com