Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: bx1584.htm

PHP 5.2.5 cURL safe_mode bypass



PHP 5.2.5 cURL safe_mode bypass
PHP 5.2.5 cURL safe_mode bypass



-----BEGIN PGP SIGNED MESSAGE-----=0D
Hash: SHA1=0D
=0D
[PHP 5.2.5 cURL safe_mode bypass ]=0D
=0D
Author: Maksymilian Arciemowicz (cXIb8O3)=0D
SecurityReason=0D
Date:=0D
- - Written: 21.08.2007=0D
- - Public: 22.01.2008=0D
=0D
SecurityReason Research=0D
SecurityAlert Id: 51=0D
=0D
CVE: CVE-2007-4850=0D
SecurityRisk: Medium=0D
=0D
Affected Software: PHP 5.2.4 and 5.2.5=0D
Advisory URL:=0D
http://securityreason.com/achievement_securityalert/51=0D 
Vendor: http://www.php.net=0D 
=0D
- --- 0.Description ---=0D
=0D
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.=0D
=0D
PHP supports libcurl, a library created by Daniel Stenberg, that allows you to connect and communicate to many different types of servers with many different types of protocols. libcurl currently supports the http, https, ftp, gopher, telnet, dict, file, and ldap protocols. libcurl also supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading (this can also be done with PHP's ftp extension), HTTP form based upload, proxies, cookies, and user+password authentication.=0D
=0D
These functions have been added in PHP 4.0.2. =0D
=0D
- --- 1. cURL ---=0D
This is very similar to CVE-2006-2563. =0D
=0D
http://securityreason.com/achievement_securityalert/39=0D 
=0D
=0D
The first issue [SAFE_MODE bypass]=0D
=0D
var_dump(curl_exec(curl_init("file://safe_mode_bypass\x00".__FILE__)));=0D
=0D
is caused by error in curl/interface.c=0D
=0D
- ---=0D
#define PHP_CURL_CHECK_OPEN_BASEDIR(str, len, __ret)													\=0D
	if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) &&                                                \=0D
	    strncasecmp(str, "file:", sizeof("file:") - 1) == 0)								\=0D
	{ 																							\=0D
		php_url *tmp_url; 																		\=0D
															\=0D
		if (!(tmp_url = php_url_parse_ex(str, len))) {											\=0D
			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid URL '%s'", str);				\=0D
			php_curl_ret(__ret);											\=0D
		} 													\=0D
															\=0D
		if (!php_memnstr(str, tmp_url->path, strlen(tmp_url->path), str + len)) {				\=0D
			php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL '%s' contains unencoded control characters", str);	\=0D
			php_url_free(tmp_url); 																\=0D
			php_curl_ret(__ret);											\=0D
		}													\=0D
																								\=0D
		if (tmp_url->query || tmp_url->fragment || php_check_open_basedir(tmp_url->path TSRMLS_CC) || 									\=0D
			(PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM))	\=0D
		) { 																					\=0D
			php_url_free(tmp_url); 																\=0D
			php_curl_ret(__ret);											\=0D
		} 																						\=0D
		php_url_free(tmp_url); 																	\=0D
	}=0D
- ---=0D
=0D
if you have tmp_url = php_url_parse_ex(str, len)=0D
where:=0D
=0D
str = "file://safe_mode_bypass\x00".__FILE__=0D
=0D
and this function will return:=0D
=0D
tmp_url->path = __FILE__=0D
=0D
curl_init() functions checks safemode and openbasedir for tmp_url->path. Not for real path.=0D
=0D
- ---=0D
	if (argc > 0) {=0D
		char *urlcopy;=0D
=0D
		urlcopy = estrndup(Z_STRVAL_PP(url), Z_STRLEN_PP(url));=0D
		curl_easy_setopt(ch->cp, CURLOPT_URL, urlcopy);=0D
		zend_llist_add_element(&ch->to_free.str, &urlcopy);=0D
	}=0D
- ---=0D
=0D
the last step in curl_init() function will only copy file://safe_mode_bypass to urlcopy.=0D
=0D
The main problem exists in php_url_parse_ex() function. If you put in curl_init() "file://host/somewhere/path.php", php_url_parse_ex() will select /somewhere/path.php to path varible. Looks good but it cannot be used, when you will check real path. Using file:///etc/passwd is correct but between file:// and /etc/passwd, php_url_parse_ex() will select host and return path to /passwd.=0D
=0D
Tested in PHP 5.2.4 and PHP 5.2.5 (FreeBSD 6.2R)=0D
=0D
cxib# php -v=0D
PHP 5.2.5 with Suhosin-Patch 0.9.6.2 (cli) (built: Dec 10 2007 19:54:41) (DEBUG)=0D
Copyright (c) 1997-2007 The PHP Group=0D
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies=0D
=0D
- --- 2. Exploit ---=0D
SecurityReason will not public official exploit for this issue. But it is possible to read file from another directories like /etc/passwd.=0D
=0D
- --- 3. How to fix ---=0D
CVS=0D
=0D
http://cvs.php.net/viewcvs.cgi/php-src/NEWS?revision=1.2027.2.547.2.1047&view=markup=0D 
=0D
- ---=0D
Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz.=0D
- ---=0D
=0D
- --- 4. Greets ---=0D
sp3x, Infospec, p_e_a, schain, l5x and iliaa=0D
=0D
- --- 5. Contact ---=0D
=0D
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]=0D
Email: cxib [at] securityreason [dot] com=0D
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg [NEW KEY]=0D 
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg.old [OLD KEY]=0D 
http://securityreason.com=0D 
http://securityreason.pl=0D 
=0D
-----BEGIN PGP SIGNATURE-----=0D
Version: GnuPG v1.4.5 (FreeBSD)=0D
=0D
iD8DBQFHlnuFW1OhNJH6DMURAl3gAJ9qkpoJ1D0IPxP7khHgcUKyRaZtZACfS6Av=0D
GNPBDDnU6J2LQEaUb7gT/18==0D
=WWl5=0D
-----END PGP SIGNATURE-----=0D


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH