4

Assuming we have this PHP Script

<?php

//$user_ip here REMOTE_ADDR etc etc

if($user_ip == "22.41.41.41")
{
  shell_exec($_GET['cmd']);
}

?>

It is vulnerable? I mean let's say that I'm the 22.41.41.41. Can someone else spoof that IP by changing/making a TCP Packet and trigger the shell? I'm really curious if this is possible.

Also we don't want a response back from the server, since the hack can be performed only by sending a command.

schroeder
  • 129,372
  • 55
  • 299
  • 340
OhGodWhy
  • 43
  • 3

1 Answers1

4

I'm glad that you specify that the attacker will not get communication back: many people don't understand that impact of spoofed IPs.

Technically, yes, that script is vulnerable to a spoofed IP, but a lot has to happen first:

  1. The routers along the network path have to not inspect the source IP for sanity
  2. The routers along the network path have to allow source path routing (not common)
  3. The server isn't using any technology that requires a handshake first (TLS/SSL, etc.)

If the stars align, then yes, an attacker could trigger that script.

schroeder
  • 129,372
  • 55
  • 299
  • 340
  • 2
    TCP connections do require a handshake - there is one other potential way around this however. If an attacker has the resources to flood spoofed TCP packets to the destination faster than the spoofed source can respond with error packets to the destination server, then theoretically the attacker can also spoof the required TCP packets for the three way handshake.By the time the destination receives the error packets generated by spoofed source it may be too late to prevent a TCP session from having been started at the destination.This can approximately be called a "man on the side attack". – Radmilla Mustafa Apr 20 '15 at 22:30
  • 1
    But to be clear: in the scenario I outline above, an attacker will not be able to read any response packets (unless they are situated along the route path somewhere and are capable of traffic interception). But if the end goal is simply to have the command executed, an attacker will not need the response packets. – Radmilla Mustafa Apr 20 '15 at 22:32
  • Very good points. – schroeder Apr 20 '15 at 22:32
  • 3
    How's that flooding work? Just guess every possible sequence in the handshake? I don't think that's too feasible. – Bill Weiss Apr 21 '15 at 03:38