Re: [tlug] Clamav reports a virus: Exploit.Gif.PHPembedded

["Edmund Edgar" <lists@example.com>]

2008/6/5 Hung Nguyen Vu <vuhung16plus+shape@example.com>:
> If "he" wants to execute "php freebsd.jpg" he need a shell first.
> In the first place, "he" has nothing more than uploading files( jpeg files )
> to my web server. So I assume that he didn't harm my server.

Correct. Putting it in the jpeg gets the hostile code onto your
server, but the attacker still has to do something so that the PHP
program executes it.

> This is freebsd.jpg when loaded with a browser ( Apache 2.0.x, PHP 5.2 ):
> http://aoclife.ddo.jp/tmp/freebsd.jpg
> The FreeBSE deamon is there, and I don't see any binary junk.
>
> Can you give me a POC?

Change the name of your jpeg file from freebsd.jpg to freebsd.php, then go to:
http://aoclife.ddo.jp/tmp/freebsd.php.

Of course, if the web application used to upload the jpeg is checking
for what it should be (a .php extension) an attacker wouldn't usually
be able to upload the file with the extension .php in the first place.
As previously, they'd need to find another vulnerability somewhere to
persuade the PHP program on the server to run the file.

Edmund