Bug#361856: [php-maint] Bug#361856: copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2

Tue Apr 11 07:59:07 UTC 2006

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 2.4.2006
- -Public: 8.4.2006
from SECURITYREASON.COM
CVE-2006-1608

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is
borrowed from C, Java and
Perl with a couple of unique PHP-specific features thrown in. The goal
of the language is to
allow web developers to write dynamically generated pages quickly.

A nice introduction to PHP by Stig S&#230;ther Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much
of the PHP Conference
Material is freely available. 

The PHP safe mode is an attempt to solve the shared-server security
problem. It is
architecturally incorrect to try to solve this problem at the PHP level,
but since the
alternatives at the web server and OS levels aren't very realistic, many
people, especially
ISP's, use safe mode for now.

- --- 1. Safe Mode Bypass ---
General problem exists in safe mode function, because safe mode accept
path like
"compress.zlib://". 

PHP442 File "main/safe_mode.c"
- -78-80---
wrapper = php_stream_locate_url_wrapper(filename, NULL,
STREAM_LOCATE_WRAPPERS_ONLY
TSRMLS_CC);
if (wrapper != NULL)
return 1;
- -78-80---

if php_stream_locate_url_wrapper() return something.. safe mode is going
to stop.
Let`s see the function php_stream_locate_url_wrapper().

PHP442 File "main/streams.c"

- -2522-2588---
PHPAPI php_stream_wrapper *php_stream_locate_url_wrapper(const char
*path, char
**path_for_open, int options TSRMLS_DC)
{
HashTable *wrapper_hash = (FG(stream_wrappers) ? FG(stream_wrappers) :
&url_stream_wrappers_hash);
php_stream_wrapper *wrapper = NULL;
const char *p, *protocol = NULL;
int n = 0;

if (path_for_open)
*path_for_open = (char*)path;

if (options & IGNORE_URL)
return (options & STREAM_LOCATE_WRAPPERS_ONLY) ? NULL :
&php_plain_files_wrapper;

for (p = path; isalnum((int)*p) || *p == '+' || *p == '-' || *p == '.';
p++) {
n++;
}

if ((*p == ':') && (n > 1) && !strncmp("://", p, 3)) {
protocol = path;
} else if (strncasecmp(path, "zlib:", 5) == 0) {
/* BC with older php scripts and zlib wrapper */
protocol = "compress.zlib";
n = 13;
if (options & REPORT_ERRORS) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Use of \"zlib:\" wrapper is
deprecated; please use \"compress.zlib://\" instead.");
}
}

if (protocol) {
if (FAILURE == zend_hash_find(wrapper_hash, (char*)protocol, n,
(void**)&wrapper)) {
char wrapper_name[32];

if (options & REPORT_ERRORS) {
if (n >= sizeof(wrapper_name))
n = sizeof(wrapper_name) - 1;
PHP_STRLCPY(wrapper_name, protocol, sizeof(wrapper_name), n);

php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unable to find the wrapper
\"%s\" - did you forget to enable it when you configured PHP?",
wrapper_name);
}

wrapper = NULL;
protocol = NULL;
}
}
/* TODO: curl based streams probably support file:// properly */
if (!protocol || !strncasecmp(protocol, "file", n)) {
if (protocol && path[n+1] == '/' && path[n+2] == '/') {
if (options & REPORT_ERRORS)
php_error_docref(NULL TSRMLS_CC, E_WARNING, "remote host file access not
supported,
%s", path);
return NULL;
}
if (protocol && path_for_open)
*path_for_open = (char*)path + n + 1;

/* fall back on regular file access */
return (options & STREAM_LOCATE_WRAPPERS_ONLY) ? NULL :
&php_plain_files_wrapper;
}

if (wrapper && wrapper->is_url && !PG(allow_url_fopen)) {
if (options & REPORT_ERRORS)
php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL file-access is disabled
in the
server configuration");
return NULL;
}

return wrapper;
}
- -2522-2588---

So if you use in your path (for example "compress.zlib://"), function
php_stream_locate_url_wrapper() return something variable and safe mode
return 1.

Let's see now the source of function copy().

PHP442: ext/standard/file.c

- -2114-2138---
PHP_FUNCTION(copy)
{
zval **source, **target;

if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &source, &target)
== FAILURE)
{
WRONG_PARAM_COUNT;
}

convert_to_string_ex(source);
convert_to_string_ex(target);

if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(source), NULL,
CHECKUID_CHECK_FILE_AND_DIR))) {
RETURN_FALSE;
}

if (php_check_open_basedir(Z_STRVAL_PP(source) TSRMLS_CC)) {
RETURN_FALSE;
}

if (php_copy_file(Z_STRVAL_PP(source), Z_STRVAL_PP(target)
TSRMLS_CC)==SUCCESS) {
RETURN_TRUE;
} else {
RETURN_FALSE;
}
}
- -2114-2138---

http://pl2.php.net/manual/en/function.copy.php

Description
bool copy ( string source, string dest )

example:
copy("compress.zlib:///etc/passwd", "/home/cxib/to/bandyta/passwd.txt");

safe mode return 1 and skip security.

if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(source), NULL,
CHECKUID_CHECK_FILE_AND_DIR))) {
RETURN_FALSE;
}

return true.

Rest functions have checking safe_mode without path and safe mode works.
I don't have tested
all functions in php ;].

- --- 2. How to fix ---
CVS
http://cvs.php.net/viewcvs.cgi/php-src/NEWS

- --- 3. Exploit ---
http://securityreason.com/achievement_exploitalert/8

- --- 4. Greets ---

For: sp3x
and
p_e_a, eax, Infospec

- --- 5. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFEOAu93Ke13X/fTO4RApXzAKC4OuM/3vn8kyw+EP2R8YVYyH9gkgCcDCMj
2dB55e2x6sPGBJW+w9Kw/OY=
=Lfuk
-----END PGP SIGNATURE-----
-- 
Ondrej Sury <ondrej at sury.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20060411/9ab48235/attachment.pgp