Bug: PHP 5.2.5 cURL safe_mode bypass ( Ascii Version )

Search:
WLB2

PHP 5.2.5 cURL safe_mode bypass

Published
Credit
Risk
2008.01.22
Maksymilian Arciemowicz
Medium
CWE
CVE
Local
Remote
CWE-264
CVE-2007-4850
Yes
No

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

[PHP 5.2.5 cURL safe_mode bypass ]

Author: Maksymilian Arciemowicz
Date:
- - Written: 21.08.2007
- - Public: 22.01.2008

CVE: CVE-2007-4850
Risk: Medium

Affected Software: PHP 5.2.4 and 5.2.5
Vendor: http://www.php.net

- --- 0.Description ---

PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique
PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated
pages quickly.

PHP supports libcurl, a library created by Daniel Stenberg, that allows you to connect and communicate to many different
types of servers with many different types of protocols. libcurl currently supports the http, https, ftp, gopher,
telnet, dict, file, and ldap protocols. libcurl also supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading
(this can also be done with PHP's ftp extension), HTTP form based upload, proxies, cookies, and user+password
authentication.

These functions have been added in PHP 4.0.2.

- --- 1. cURL ---
This is very similar to CVE-2006-2563.

http://cxsecurity.com/issue/WLB-2006050153


The first issue [SAFE_MODE bypass]

var_dump(curl_exec(curl_init("file://safe_mode_bypass\x00".__FILE__)));

is caused by error in curl/interface.c

- ---
#define PHP_CURL_CHECK_OPEN_BASEDIR(str, len, __ret) \
if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) &&
\
strncasecmp(str, "file:", sizeof("file:") - 1) == 0) \
{ \
php_url *tmp_url; \
\
if (!(tmp_url = php_url_parse_ex(str, len))) { \
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid URL '%s'", str); \
php_curl_ret(__ret); \
} \
\
if (!php_memnstr(str, tmp_url->path, strlen(tmp_url->path), str + len)) { \
php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL '%s' contains unencoded control characters", str); \
php_url_free(tmp_url); \
php_curl_ret(__ret); \
} \
\
if (tmp_url->query || tmp_url->fragment || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
(PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \
) { \
php_url_free(tmp_url); \
php_curl_ret(__ret); \
} \
php_url_free(tmp_url); \
}
- ---

if you have tmp_url = php_url_parse_ex(str, len)
where:

str = "file://safe_mode_bypass\x00".__FILE__

and this function will return:

tmp_url->path = __FILE__

curl_init() functions checks safemode and openbasedir for tmp_url->path. Not for real path.

- ---
if (argc > 0) {
char *urlcopy;

urlcopy = estrndup(Z_STRVAL_PP(url), Z_STRLEN_PP(url));
curl_easy_setopt(ch->cp, CURLOPT_URL, urlcopy);
zend_llist_add_element(&ch->to_free.str, &urlcopy);
}
- ---

the last step in curl_init() function will only copy file://safe_mode_bypass to urlcopy.

The main problem exists in php_url_parse_ex() function. If you put in curl_init()
"file://host/somewhere/path.php", php_url_parse_ex() will select /somewhere/path.php to path varible. Looks
good but it cannot be used, when you will check real path. Using file:///etc/passwd is correct but between file:// and
/etc/passwd, php_url_parse_ex() will select host and return path to /passwd.

Tested in PHP 5.2.4 and PHP 5.2.5 (FreeBSD 6.2R)

cxib# php -v
PHP 5.2.5 with Suhosin-Patch 0.9.6.2 (cli) (built: Dec 10 2007 19:54:41) (DEBUG)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies

- --- 2. Exploit ---
N/A

- --- 3. How to fix ---
CVS

http://cvs.php.net/viewcvs.cgi/php-src/NEWS?revision=1.2027.2.547.2.1047&view=markup

- ---
Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz.
- ---

- --- 4. Contact ---

Author: Maksymilian Arciemowicz

References:

http://www.ubuntu.com/usn/usn-628-1
http://www.mandriva.com/security/advisories?name=MDVSA-2009:023
http://www.mandriva.com/security/advisories?name=MDVSA-2009:022
http://support.apple.com/kb/HT3216

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version