PHP 5.2.6 posix_access() (posix ext) safe_mode bypass (CXSecurity Research WLB2)

English Version
WLB2

WLB2
Full List
Bugs
Bogus
Tricks
Exploits
Search
General
CVE
CWE
Tools
CWE Dictionary
Google Hacking
RSS
Full List
Bugs
Exploits
Information
Our services
Add note
About
Submit

To add a note,

use this form

or send email to

submit@cxsecurity.com

When contacting via email, we recommend coded messages.

Get our PGP public key

 Topic: PHP 5.2.6 posix_access() (posix ext) safe_mode bypass
 Author: Maksymilian Arciemowicz
 Date: 2008.06.17
 Risk: Low
 Local: Yes
 Remote: No

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[PHP 5.2.6 posix_access() (posix ext) safe_mode bypass ]

Author: Maksymilian Arciemowicz (cXIb8O3)
CXSecurity.com
Date:
- - Written: 10.05.2008
- - Public: 17.06.2008

CXSecurity Research
SecurityAlert Id: 54

CVE: CVE-2008-2665
CWE: CWE-264
SecurityRisk: Low

Affected Software: PHP 5.2.6
Advisory URL: http://cxsecurity.com/research/54
Vendor: http://www.php.net

- --- 0.Description ---

PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique
PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated
pages quickly.

posix_access ? Determine accessibility of a file

SYNOPSIS:

bool posix_access ( string $file [, int $mode ] )

http://pl2.php.net/manual/pl/function.posix-access.php

!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LIST ALL VULNERABLE FUNCTIONS

- --- 1. PHP 5.2.6 posix_access() safe_mode bypass ---
Let's see to posix_access() function

- ---
PHP_FUNCTION(posix_access)
{
long mode = 0;
int filename_len, ret;
char *filename, *path;

if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &filename, &filename_len, &mode) ==
FAILURE) {
RETURN_FALSE;
}

path = expand_filepath(filename, NULL TSRMLS_CC);

if (!path) {
POSIX_G(last_error) = EIO;
RETURN_FALSE;
}

if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) ||
(PG(safe_mode) && (!php_checkuid_ex(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS)))) {
efree(path);
POSIX_G(last_error) = EPERM;
RETURN_FALSE;
}

ret = access(path, mode);
efree(path);

if (ret) {
POSIX_G(last_error) = errno;
RETURN_FALSE;
}

RETURN_TRUE;
}
- ---

var_dump(posix_access("http://../../../etc/passwd"))==True
var_dump(posix_access("/etc/passwd"))==False

Why?

Because path = expand_filepath(filename, NULL TSRMLS_CC); will change "http://../../../etc/passwd" to
path=/etc/passwd

(PG(safe_mode) && (!php_checkuid_ex(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS))) will
check realy path "http://../../../etc/passwd". http:// is using in php_checkuid_ex(), so safe_mode is
bypassed.

!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LIST ALL VULNERABLE FUNCTIONS

- --- 2. How to Fix ---
Do not use safe_mode as a main safety

- --- 3. Greets ---
Infospec schain p_e_a Chujwamwdupe

- --- 4. Contact ---
Author: CXSecurity [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] cxsecurity [dot] com
GPG: http://cxsecurity.pl/key/Arciemowicz.Maksymilian.gpg
http://cxsecurity.com
http://cxsecurity.pl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQFIWCC+W1OhNJH6DMURAsq4AJ0eC1qKOZVOJJB3XDRIhpufNe1qUwCfTWv0
n4Sg31DePRpr4h3PLouKFoA=
=6qwD
-----END PGP SIGNATURE-----
Copyright 2012, cxsecurity.com