Register | Forget Password | Login
Search :
SecurityReason

News

Search

SecurityAlert

About SecurityAlert

ExploitAlert

SecurityReason Research
WLB

WLB Database

Send to WLB

About WLB
RSS

News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP
Corporate

Contact

About us
Services

SecurePHP
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Details : SecurityReason Advisory

  Topic : copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2
  SecurityAlert : 37
  CVE : CVE-2006-1608
  SecurityRisk : High  alert  (About)
  Remote Exploit : No
  Local Exploit : Yes
  Exploit Given : Yes
  Credit : Maksymilian Arciemowicz
  Date : 08.04.2006

  Affected Software : PHP 4.4.2 and prior
PHP 5.1.2 and prior

The most reliable and remarkable web site hosting service provider is known as ipowerweb due to the numerous features of the hosting plans.
The most reasonable packages of hosting are offered by ix web hosting to facilitate the customers with the quality of services in the affordable price.
The best image hosting service providers offers the trustworthy hosting services with the suitable exposure of the images on the website.
The best web hosting service providers never use the low quality shared servers but they always provide the dedicated full-time services, connected with the dedicated servers.
The cheap web hosting is feasible in the view of the price matters but you have to encounter various technical problems due to the low quality of the services.

  Advisory Text :  

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 2.4.2006
- -Public: 8.4.2006
from SECURITYREASON.COM
CVE-2006-1608

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write
dynamically generated pages quickly.

A nice introduction to PHP by Stig Sæther Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of
the PHP Conference Material is freely available.

The PHP safe mode is an attempt to solve the shared-server security
problem. It is architecturally incorrect to try to solve this problem at
the PHP level, but since the alternatives at the web server and OS levels
aren't very realistic, many people, especially ISP's, use safe mode for
now.

- --- 1. Safe Mode Bypass ---
General problem exists in safe mode function, because safe mode accept path
like "compress.zlib://".

PHP442 File "main/safe_mode.c"
- -78-80---
wrapper = php_stream_locate_url_wrapper(filename, NULL,
STREAM_LOCATE_WRAPPERS_ONLY TSRMLS_CC);
if (wrapper != NULL)
return 1;
- -78-80---

if php_stream_locate_url_wrapper() return something.. safe mode is going to
stop.
Let`s see the function php_stream_locate_url_wrapper().

PHP442 File "main/streams.c"

- -2522-2588---
PHPAPI php_stream_wrapper *php_stream_locate_url_wrapper(const char *path,
char **path_for_open, int options TSRMLS_DC)
{
HashTable *wrapper_hash = (FG(stream_wrappers) ? FG(stream_wrappers) :
&url_stream_wrappers_hash);
php_stream_wrapper *wrapper = NULL;
const char *p, *protocol = NULL;
int n = 0;

if (path_for_open)
*path_for_open = (char*)path;

if (options & IGNORE_URL)
return (options & STREAM_LOCATE_WRAPPERS_ONLY) ? NULL :
&php_plain_files_wrapper;

for (p = path; isalnum((int)*p) || *p == '+' || *p == '-' || *p == '.';
p++) {
n++;
}

if ((*p == ':') && (n > 1) && !strncmp("://", p, 3)) {
protocol = path;
} else if (strncasecmp(path, "zlib:", 5) == 0) {
/* BC with older php scripts and zlib wrapper */
protocol = "compress.zlib";
n = 13;
if (options & REPORT_ERRORS) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Use of \"zlib:\" wrapper is
deprecated; please use \"compress.zlib://\" instead.");
}
}

if (protocol) {
if (FAILURE == zend_hash_find(wrapper_hash, (char*)protocol, n,
(void**)&wrapper)) {
char wrapper_name[32];

if (options & REPORT_ERRORS) {
if (n >= sizeof(wrapper_name))
n = sizeof(wrapper_name) - 1;
PHP_STRLCPY(wrapper_name, protocol, sizeof(wrapper_name), n);

php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unable to find the wrapper
\"%s\" - did you forget to enable it when you configured PHP?",
wrapper_name);
}

wrapper = NULL;
protocol = NULL;
}
}
/* TODO: curl based streams probably support file:// properly */
if (!protocol || !strncasecmp(protocol, "file", n)) {
if (protocol && path[n+1] == '/' && path[n+2] == '/') {
if (options & REPORT_ERRORS)
php_error_docref(NULL TSRMLS_CC, E_WARNING, "remote host file access
not supported, %s", path);
return NULL;
}
if (protocol && path_for_open)
*path_for_open = (char*)path + n + 1;

/* fall back on regular file access */
return (options & STREAM_LOCATE_WRAPPERS_ONLY) ? NULL :
&php_plain_files_wrapper;
}

if (wrapper && wrapper->is_url && !PG(allow_url_fopen)) {
if (options & REPORT_ERRORS)
php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL file-access is disabled
in the server configuration");
return NULL;
}

return wrapper;
}
- -2522-2588---

So if you use in your path (for example "compress.zlib://"), function
php_stream_locate_url_wrapper() return something variable and safe mode
return 1.

Let's see now the source of function copy().

PHP442: ext/standard/file.c

- -2114-2138---
PHP_FUNCTION(copy)
{
zval **source, **target;

if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &source, &target) ==
FAILURE) {
WRONG_PARAM_COUNT;
}

convert_to_string_ex(source);
convert_to_string_ex(target);

if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(source), NULL,
CHECKUID_CHECK_FILE_AND_DIR))) {
RETURN_FALSE;
}

if (php_check_open_basedir(Z_STRVAL_PP(source) TSRMLS_CC)) {
RETURN_FALSE;
}

if (php_copy_file(Z_STRVAL_PP(source), Z_STRVAL_PP(target)
TSRMLS_CC)==SUCCESS) {
RETURN_TRUE;
} else {
RETURN_FALSE;
}
}
- -2114-2138---

http://pl2.php.net/manual/en/function.copy.php

Description
bool copy ( string source, string dest )

example:
copy("compress.zlib:///etc/passwd", "/home/cxib/to/bandyta/passwd.txt");

safe mode return 1 and skip security.

if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(source), NULL,
CHECKUID_CHECK_FILE_AND_DIR))) {
RETURN_FALSE;
}

return true.

Rest functions have checking safe_mode without path and safe mode works. I
don't have tested all functions in php ;].

- --- 2. How to fix ---
CVS
http://cvs.php.net/viewcvs.cgi/php-src/NEWS

- --- 3. Exploit ---
http://securityreason.com/achievement_exploitalert/8

- --- 4. Greets ---

For: sp3x
and
p_e_a, eax, Infospec

- --- 5. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFEOAu93Ke13X/fTO4RApXzAKC4OuM/3vn8kyw+EP2R8YVYyH9gkgCcDCMj
2dB55e2x6sPGBJW+w9Kw/OY=
=Lfuk
-----END PGP SIGNATURE-----
Alert

Microsoft VISTA TCP/IP stack buffer overflow

high- 2008-11-27

Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory.
Apache rss

» Apache Tomcat information
   disclosure

» Apache Tomcat <=
   6.0.18 UTF8 Directory
   Traversal Vulnerability

» Apache Tomcat information
   disclosure vulnerability

» Apache Tomcat XSS
   vulnerability
PHP rss

» PHP 5.2.6 dba_replace()
   destroying file

» PHP 5.2.6 (error_log)
   safe_mode bypass

» PHP 5.2.6 chdir(),ftok()
   (standard ext) safe_mode
   bypass

» PHP 5.2.6 posix_access()
   (posix ext) safe_mode
   bypass
Copyright © SecurityReason. All Rights Reserved.