exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

php525-curlbypass.txt

php525-curlbypass.txt
Posted Jan 24, 2008
Authored by Maksymilian Arciemowicz | Site securityreason.com

PHP versions 5.2.5 and 5.2.4 suffer from a cURL related safe_mode bypass vulnerability.

tags | advisory, php, bypass
advisories | CVE-2007-4850
SHA-256 | b7cc5ffd01f2b7dfd6146eb89b796d340c095a734fb88911e8dfd9cd3e66e284

php525-curlbypass.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[PHP 5.2.5 cURL safe_mode bypass ]

Author: Maksymilian Arciemowicz (cXIb8O3)
SecurityReason
Date:
- - Written: 21.08.2007
- - Public: 22.01.2008

SecurityReason Research
SecurityAlert Id: 51

CVE: CVE-2007-4850
SecurityRisk: Medium

Affected Software: PHP 5.2.4 and 5.2.5
Advisory URL:
http://securityreason.com/achievement_securityalert/51
Vendor: http://www.php.net

- --- 0.Description ---

PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.

PHP supports libcurl, a library created by Daniel Stenberg, that allows you to connect and communicate to many different types of servers with many different types of protocols. libcurl currently supports the http, https, ftp, gopher, telnet, dict, file, and ldap protocols. libcurl also supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading (this can also be done with PHP's ftp extension), HTTP form based upload, proxies, cookies, and user+password authentication.

These functions have been added in PHP 4.0.2.

- --- 1. cURL ---
This is very similar to CVE-2006-2563.

http://securityreason.com/achievement_securityalert/39


The first issue [SAFE_MODE bypass]

var_dump(curl_exec(curl_init("file://safe_mode_bypass\x00".__FILE__)));

is caused by error in curl/interface.c

- ---
#define PHP_CURL_CHECK_OPEN_BASEDIR(str, len, __ret) \
if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \
strncasecmp(str, "file:", sizeof("file:") - 1) == 0) \
{ \
php_url *tmp_url; \
\
if (!(tmp_url = php_url_parse_ex(str, len))) { \
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid URL '%s'", str); \
php_curl_ret(__ret); \
} \
\
if (!php_memnstr(str, tmp_url->path, strlen(tmp_url->path), str + len)) { \
php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL '%s' contains unencoded control characters", str); \
php_url_free(tmp_url); \
php_curl_ret(__ret); \
} \
\
if (tmp_url->query || tmp_url->fragment || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
(PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \
) { \
php_url_free(tmp_url); \
php_curl_ret(__ret); \
} \
php_url_free(tmp_url); \
}
- ---

if you have tmp_url = php_url_parse_ex(str, len)
where:

str = "file://safe_mode_bypass\x00".__FILE__

and this function will return:

tmp_url->path = __FILE__

curl_init() functions checks safemode and openbasedir for tmp_url->path. Not for real path.

- ---
if (argc > 0) {
char *urlcopy;

urlcopy = estrndup(Z_STRVAL_PP(url), Z_STRLEN_PP(url));
curl_easy_setopt(ch->cp, CURLOPT_URL, urlcopy);
zend_llist_add_element(&ch->to_free.str, &urlcopy);
}
- ---

the last step in curl_init() function will only copy file://safe_mode_bypass to urlcopy.

The main problem exists in php_url_parse_ex() function. If you put in curl_init() "file://host/somewhere/path.php", php_url_parse_ex() will select /somewhere/path.php to path varible. Looks good but it cannot be used, when you will check real path. Using file:///etc/passwd is correct but between file:// and /etc/passwd, php_url_parse_ex() will select host and return path to /passwd.

Tested in PHP 5.2.4 and PHP 5.2.5 (FreeBSD 6.2R)

cxib# php -v
PHP 5.2.5 with Suhosin-Patch 0.9.6.2 (cli) (built: Dec 10 2007 19:54:41) (DEBUG)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies

- --- 2. Exploit ---
SecurityReason will not public official exploit for this issue. But it is possible to read file from another directories like /etc/passwd.

- --- 3. How to fix ---
CVS

http://cvs.php.net/viewcvs.cgi/php-src/NEWS?revision=1.2027.2.547.2.1047&view=markup

- ---
Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz.
- ---

- --- 4. Greets ---
sp3x, Infospec, p_e_a, schain, l5x and iliaa

- --- 5. Contact ---

Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg [NEW KEY]
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg.old [OLD KEY]
http://securityreason.com
http://securityreason.pl

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFHlnuFW1OhNJH6DMURAl3gAJ9qkpoJ1D0IPxP7khHgcUKyRaZtZACfS6Av
GNPBDDnU6J2LQEaUb7gT/18=
=WWl5
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close