PHP 5.2.6 posix_access() (posix ext) safe_mode bypass

PHP 5.2.6 posix_access() (posix ext) safe_mode bypassSecurityAlert : 3941CVE : CVE-2008-2665CWE : CWE-264SecurityRisk : Low alert (About)Remote Exploit : NoLocal Exploit : YesVictim interaction required : NoExploit Given : NoCredit : Maksymilian ArciemowiczPublished : 17.06.2008Affected Software : PHP 5.2.6 and prior-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1[PHP 5.2.6 posix_access() (posix ext) safe_mode bypass ]Author: Maksymilian Arciemowicz (cXIb8O3)SecurityReason.comDate:- - Written: 10.05.2008- - Public: 17.06.2008SecurityReason ResearchSecurityAlert Id: 54CVE: CVE-2008-2665CWE: CWE-264SecurityRisk: LowAffected Software: PHP 5.2.6Advisory URL: http://securityreason.com/achievement_securityalert/54Vendor: http://www.php.net- --- 0.Description ---PHP is an HTML-embedded scripting language. Much of its syntax is borrowedfrom C, Java and Perl with a couple of unique PHP-specific features thrownin. The goal of the language is to allow web developers to writedynamically generated pages quickly.posix_access ? Determine accessibility of a fileSYNOPSIS:bool posix_access ( string $file [, int $mode ] )http://pl2.php.net/manual/pl/function.posix-access.php!!! WARNING !!!IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASONWILL NOT LIST ALL VULNERABLE FUNCTIONS- --- 1. PHP 5.2.6 posix_access() safe_mode bypass ---Let's see to posix_access() function- ---PHP_FUNCTION(posix_access){long mode = 0;int filename_len, ret;char *filename, *path;if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &filename,&filename_len, &mode) == FAILURE) {RETURN_FALSE;}path = expand_filepath(filename, NULL TSRMLS_CC);if (!path) {POSIX_G(last_error) = EIO;RETURN_FALSE;}if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) ||(PG(safe_mode) && (!php_checkuid_ex(filename, NULL,CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS)))) {efree(path);POSIX_G(last_error) = EPERM;RETURN_FALSE;}ret = access(path, mode);efree(path);if (ret) {POSIX_G(last_error) = errno;RETURN_FALSE;}RETURN_TRUE;}- ---var_dump(posix_access("http://../../../etc/passwd"))==Truevar_dump(posix_access("/etc/passwd"))==FalseWhy?Because path = expand_filepath(filename, NULL TSRMLS_CC); will change"http://../../../etc/passwd" to path=/etc/passwd(PG(safe_mode) && (!php_checkuid_ex(filename, NULL,CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS))) will check realy path"http://../../../etc/passwd". http:// is using in php_checkuid_ex(), sosafe_mode is bypassed.!!! WARNING !!!IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASONWILL NOT LIST ALL VULNERABLE FUNCTIONS- --- 2. How to Fix ---Do not use safe_mode as a main safety- --- 3. Greets ---sp3x Infospec schain p_e_a Chujwamwdupe- --- 4. Contact ---Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]Email: cxib [at] securityreason [dot] comGPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpghttp://securityreason.comhttp://securityreason.pl-----BEGIN PGP SIGNATURE-----Version: GnuPG v2.0.4 (FreeBSD)iD8DBQFIWCC+W1OhNJH6DMURAsq4AJ0eC1qKOZVOJJB3XDRIhpufNe1qUwCfTWv0n4Sg31DePRpr4h3PLouKFoA==6qwD-----END PGP SIGNATURE-----