Advisory SE-2008-03: PHP Multibyte Shell Command Escaping Bypass Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: PHP Multibyte Shell Command Escaping Bypass Vulnerability
Release Date: 2008/05/06
Last Modified: 2008/05/06
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: PHP 5 <= 5.2.5
PHP 4 <= 4.4.8
Severity: Several shell locales with support for east asian
variable width encodings allow bypassing PHP's
shell command escaping functions, safe_mode and
disable_functions
Risk: Medium/High
Vendor Status: Vendor has released PHP 5.2.6 which uses locale
aware shell command/argument escaping
Reference: http://www.sektioneins.de/advisories/SE-2008-03.txt
Overview:
Quote from http://www.php.net
"PHP is a widely-used general-purpose scripting language that
is especially suited for Web development and can be embedded
into HTML."
In PHP there exist two functions to escape shell commands or
arguments to shell commands that are used in PHP applications
to protect against shell command injection vulnerabilities.
- escapeshellcmd()
- escapeshellarg()
Unfortunately it was discovered that both functions fail to
protect against shell command injection when the shell uses
a locale with a variable width character set like GBK,
EUC-KR, SJIS, ..
This can lead to arbitrary shell command injection vulnerabilities
in PHP applications believed to be safe. In addition to that
exploiting this problem in PHP functions that use this shell
escaping internally allows safe_mode and disable_functions
bypass.
Details:
[1] escapeshellcmd()
escapeshellcmd() will put a single backslash character in front
of every shell meta character like ; $ < > ... to escape it.
This function is normally used to ensure that only a single shell
command is executed and that it is not possible to append further
shell commands.
The problem is that the backslash character is a legal second
byte of several variable width encodings. Because of this a shell
that is for example configured to use a locale with the GBK
character set will consider the introduced backslash as part of
a multibyte character instead of an escaping of following meta
character.
Example:
escapeshellcmd("echo ".chr(0xc0).";id");
Executing the result of this will therefore result in echo and
id being executed.
[2] escapeshellarg()
escapeshellarg() does not use the backslash character to escape
shell meta characters. Instead it places the argument in single
quotes and only escapes single quotes in the qrgument with the
string '\'' . Because of this it is not possible to use the same
trick. However in case there are multiple inputs it is possible
to "eat" the terminating single quote which results in a shell
command injection through the second argument.
Example:
$arg1 = chr(0xc0);
$arg2 = "; id ; #";
$cmd = "echo ".escapeshellarg($arg1)." ".escapeshellarg($arg2);
In this example the 0xC0 character forms a multibyte character
with the terminating single quote. Therefore the starting single
quote of $arg2 will be used as terminating single quote and the
content of $arg2 can be used to inject everything.
NOTE: This attack works because even invalid second byte characters
are accepted on several platforms as valid.
[3] safe_mode_exec_dir bypass
Because of the vulnerability described in [1] it is possible to
bypass the safe_mode_exec_dir directive of PHP. This directive
is supposed to ensure that only shell commands within the allowed
directory can be executed.
This attack is however only feasible when the shell uses one of
the vulnerable locales, because during safe_mode it is not possible
to set the LANG environment variable that would influence the shell.
[4] mail() fifth parameter - disable_functions bypass
Because of the vulnerability described in [1] it is possible to
execute arbitrary shell commands on a system even when all shell
execution functions like shell_exec(), system(), ... are disabled
by the disable_functions directive, but mail() is still allowed.
This attack relies on the fact that the fifth mail() parameter is
used as argument to the sendmail binary and escaped with
escapeshellcmd() internally to ensure that no further shell commands
are appended.
Because PHP scripts can influence the locale of the shell (unless
running in safe_mode) this attack allows bypassing the setting of
disable_functions when a vulnerable locale is installed on the
system. In case the system's shell does not support one of the
vulnerable character sets the attack is not feasible.
Proof of Concept:
SektionEins GmbH is not going to release a proof of concept
exploit for this vulnerability.
Disclosure Timeline:
07. March 2008 - Notified security@xxxxxxx
01. May 2008 - PHP developers released PHP 5.2.6
06. May 2008 - Public Disclosure
Recommendation:
It is recommended to upgrade to the latest version of PHP
which also fixes additional vulnerabilities reported by
third parties.
Grab your copy at:
http://www.php.net/downloads.php
CVE Information:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
not assigned a name to this vulnerability yet.
GPG-Key:
pub 1024D/15ABDA78 2004-10-17 Stefan Esser <stefan.esser@xxxxxxxxxxxxxx>
Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78
Copyright 2008 SektionEins GmbH. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8
iEYEARECAAYFAkggLkEACgkQSuF5XhWr2ni3jwCeKVl6Vm/dJ78TbJxc8Pnkztbm
Pe8An2Zok9MCrK7SCHnFDLnPPb0rbu0A
=WPG6
-----END PGP SIGNATURE-----