Misguided Response on XML-RPC Worm

A recent worm, Lupper, is traversing the Internet and exploiting computers that run the XML-RPC package for PHP. The official XML-RPC for PHP homepage states that the package’s abuse of the PHP eval function created a security hole that allowed remote execution of arbitrary code. This means that any systems that run PHP and a faulty XML-RPC for PHP installation can potentially be affected.

Unfortunately, articles such as XML-RPC Threatens Linux, Unix Systems suggest that the worm attacks “web applications that run on Linux and Unix systems.” The example article does not mention that worms, which exploit the XML-RPC for PHP fault, can potentially affect other operating systems as well. System administrators who are responsible for such systems should not overlook this security hole because of its incorrect association with another operating system.

A simplified abuse of the eval function is presented below:

$arbitraryConsoleCommand='dir'; // or format c:
$functionCallString="system($arbitraryConsoleCommand);";
eval( $functionCallString );

A stable version of XML-RPC for PHP that is apparently immune to this exploit has been available since September 2005. The security hole was discovered in August, and worms that exploit this hole surfaced recently as did its publicity. The security hole was likely discovered through third-party code inspection, and an update to this piece of software was quickly made available.

Leave a Reply