PHP 5.2.6 posix_access() (posix ext) safe_mode bypass

Advisory Content :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[PHP 5.2.6 posix_access() (posix ext) safe_mode bypass ]

Author: Maksymilian Arciemowicz (cXIb8O3)
SecurityReason.com
Date:
- - Written: 10.05.2008
- - Public: 17.06.2008

SecurityReason Research
SecurityAlert Id: 54

CVE: CVE-2008-2665
CWE: CWE-264
SecurityRisk: Low

Affected Software: PHP 5.2.6
Advisory URL: http://securityreason.com/achievement_securityalert/54
Vendor: http://www.php.net

- --- 0.Description ---

PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write
dynamically generated pages quickly.

posix_access ? Determine accessibility of a file

SYNOPSIS:

bool posix_access ( string $file [, int $mode ] )

http://pl2.php.net/manual/pl/function.posix-access.php

!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON
WILL NOT LIST ALL VULNERABLE FUNCTIONS

- --- 1. PHP 5.2.6 posix_access() safe_mode bypass ---
Let's see to posix_access() function

- ---
PHP_FUNCTION(posix_access)
{
long mode = 0;
int filename_len, ret;
char *filename, *path;

if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &filename,
&filename_len, &mode) == FAILURE) {
RETURN_FALSE;
}

path = expand_filepath(filename, NULL TSRMLS_CC);

if (!path) {
POSIX_G(last_error) = EIO;
RETURN_FALSE;
}

if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) ||
(PG(safe_mode) && (!php_checkuid_ex(filename, NULL,
CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS)))) {
efree(path);
POSIX_G(last_error) = EPERM;
RETURN_FALSE;
}

ret = access(path, mode);
efree(path);

if (ret) {
POSIX_G(last_error) = errno;
RETURN_FALSE;
}

RETURN_TRUE;
}
- ---

var_dump(posix_access("http://../../../etc/passwd"))==True
var_dump(posix_access("/etc/passwd"))==False

Why?

Because path = expand_filepath(filename, NULL TSRMLS_CC); will change
"http://../../../etc/passwd" to path=/etc/passwd

(PG(safe_mode) && (!php_checkuid_ex(filename, NULL,
CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS))) will check realy path
"http://../../../etc/passwd". http:// is using in php_checkuid_ex(), so
safe_mode is bypassed.

!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON
WILL NOT LIST ALL VULNERABLE FUNCTIONS

- --- 2. How to Fix ---
Do not use safe_mode as a main safety

- --- 3. Greets ---
sp3x Infospec schain p_e_a Chujwamwdupe

- --- 4. Contact ---
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQFIWCC+W1OhNJH6DMURAsq4AJ0eC1qKOZVOJJB3XDRIhpufNe1qUwCfTWv0
n4Sg31DePRpr4h3PLouKFoA=
=6qwD
-----END PGP SIGNATURE-----

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

PHP 5.2.6 posix_access() (posix ext) safe_mode bypass