lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 08 Dec 2008 14:14:36 +0100
From: Maksymilian Arciemowicz <cxib@...urityreason.com>
To: Eygene Ryabinkin <rea-sec@...elabs.ru>, bugtraq@...urityfocus.com
Subject: Re: SecurityReason: PHP 5.2.6 SAPI php_getuid() overload

Eygene Ryabinkin wrote:
> Maksymilian, good day.
> 
> Sat, Dec 06, 2008 at 12:40:48PM -0700, cxib@...urityreason.com wrote:
>> [ SecurityReason.com : PHP 5.2.6 SAPI php_getuid() overload ]
> [...]
>> Using PHP 5.2.6, as a Apache module can bypass many security points.
> 
> Am I right that this vulnerability exists only in the Apache 1.x flavour
> of the PHP module?  The code in question that sets SG(server_context)
> too late and initializes BG variable after the .htaccess processing
> exists only in sapi/apache/mod_php5.c.  For Apache 2.x module the
> handler is 'php_handler', it lives in apache2{filter,handler}/sapi_apache2.c
> and BG/SG(server_context) are initialized before .htaccess processing.

yes

BG(page_uid)=BG(page_gid)=0

should be -1

so

php_getuid() will return 0.

tested on apache 13 20 22

> 
> And to clarify a bit the overall picture: am I right that the purpose of
> your sleep.php manipulations is to make Apache to invoke another "fresh"
> child that will process

yes

> error_log contents with errorneous value of
> uid/gid = 0?  It seems to me that the effect of the found vulnerability
> can be shortly characterized as "the first request for the given Apache
> child will have uid/gid = 0 as the values returned from 'php_getuid()'
> in the code that handles .htaccess contents (to be precise, in the code
> inside the function send_php() before the call to
> apache_php_module_main(), the point where BG is really initialized by
> PHP_RINIT_FUNCTION(basic))".

if (BG(page_uid)==-1 || BG(page_gid)==-1)

will never happen in fresh apache child.

> Am I missing something?
> 

php_getuid() is a abstract function for php.

-- 
Best Regards,
------------------------
pub   1024D/A6986BD6 2008-08-22
uid                  Maksymilian Arciemowicz (cxib)
<cxib@...urityreason.com>
sub   4096g/0889FA9A 2008-08-22

http://securityreason.com
http://securityreason.com/key/Arciemowicz.Maksymilian.gpg

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ