During a recent intrusion test, we discovered that NeDi was used in our target infrastructure. Since this application’s source code is freely available on the developer’s website (www.nedi.ch) I thought I’d have a look and see whether it would be possible to take control of a server through it.
It didn’t take too long to discover a call to PHP’s eval function in file inc/graph.php:
[code language=”php”]
function drawFunction($function, $dx = 0.1) {
$xold = $x = $this->x0;
eval(“$yold=”.$function.”;”);
for ($x += $dx; $x <= $this->x1; $x += $dx) {
eval(“$y = “.$function.”;”);
imageLine($this->img, $this->posX0+$xold*$this->scale,
$this->posY0-$yold*$this->scale,
$this->posX0+$x*$this->scale,
$this->posY0-$y*$this->scale, $this->grn);
$xold = $x;
$yold = $y;
}
}
[/code]
We see that parameter $function is used directly in the eval(). Where does this particular parameter come from? Well drawFunction is called from page OtherPlot.php:
[code language=”php”]
$cmd = isset($_GET[‘cmd’]) ? $_GET[‘cmd’] : ”;
$res = isset($_GET[‘res’]) ? $_GET[‘res’] : ‘vga’;
$xf = isset($_GET[‘xf’]) ? $_GET[‘xf’] : 4;
$yf = isset($_GET[‘yf’]) ? $_GET[‘yf’] : 4;
$xt = isset($_GET[‘xt’]) ? $_GET[‘xt’] : 4;
$yt = isset($_GET[‘yt’]) ? $_GET[‘yt’] : 4;
$f = isset($_GET[‘function’]) ? $_GET[‘function’] : ‘sin(30 * $x) * 1 / cos($x) / $x’;
# $f=’tan($x – $x * cos(pi() * $x))’;
if ($cmd==”img”){
include_once (“inc/graph.php”);
$graph = new FunctionGraph($xf,$yf);
$graph->drawAxes();
$graph->drawFunction($f, 0.01);
$graph->writePNG();
$graph->destroy();
die;
}
[/code]
As you can see, the parameter which is sent to the vulnerable function is taken directly from the function GET parameter.
Moreover, this particular piece of code can be called by an unauthenticated user, meaning that it is possible to execute arbitrary code (unless there is some sort of PHP hardening going on) on the web server without needing any credentials.
After discussing the issue with Remo Rickli, who wrote the application, it turns out this is a piece of legacy code which is not used any more and will be removed in future versions. For the time being, the recommendation is to remove the Other-Plot.php and inc/graph.php files from your servers (http://www.nedi.ch/nedi-news/).