PHP 5.2.5 cURL safe_mode bypass

PHP 5.2.5 cURL safe_mode bypass SecurityAlert : 3562 CVE : CVE-2007-4850 SecurityRisk : Medium alert (About) Remote Exploit : No Local Exploit : Yes Exploit Given : No Credit : Maksymilian Arciemowicz Published : 22.01.2008 Affected Software :PHP 5.2.5 and 5.2.4-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1[PHP 5.2.5 cURL safe_mode bypass ]Author: Maksymilian Arciemowicz (cXIb8O3)SecurityReasonDate:- - Written: 21.08.2007- - Public: 22.01.2008SecurityReason ResearchSecurityAlert Id: 51CVE: CVE-2007-4850SecurityRisk: MediumAffected Software: PHP 5.2.4 and 5.2.5Advisory URL:http://securityreason.com/achievement_securityalert/51Vendor: http://www.php.net- --- 0.Description ---PHP is an HTML-embedded scripting language. Much of its syntax is borrowedfrom C, Java and Perl with a couple of unique PHP-specific features thrownin. The goal of the language is to allow web developers to writedynamically generated pages quickly.PHP supports libcurl, a library created by Daniel Stenberg, that allows youto connect and communicate to many different types of servers with manydifferent types of protocols. libcurl currently supports the http, https,ftp, gopher, telnet, dict, file, and ldap protocols. libcurl also supportsHTTPS certificates, HTTP POST, HTTP PUT, FTP uploading (this can also bedone with PHP's ftp extension), HTTP form based upload, proxies, cookies,and user+password authentication.These functions have been added in PHP 4.0.2.- --- 1. cURL ---This is very similar to CVE-2006-2563.http://securityreason.com/achievement_securityalert/39The first issue [SAFE_MODE bypass]var_dump(curl_exec(curl_init("file://safe_mode_bypass\x00".__FILE__)));is caused by error in curl/interface.c- ---#define PHP_CURL_CHECK_OPEN_BASEDIR(str, len, __ret) if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) &&strncasecmp(str, "file:", sizeof("file:") - 1) == 0) { php_url *tmp_url; if (!(tmp_url = php_url_parse_ex(str, len))) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid URL '%s'",str); php_curl_ret(__ret); } if (!php_memnstr(str, tmp_url->path, strlen(tmp_url->path), str + len)){ php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL '%s' contains unencodedcontrol characters", str); php_url_free(tmp_url); php_curl_ret(__ret); } if (tmp_url->query || tmp_url->fragment ||php_check_open_basedir(tmp_url->path TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+",CHECKUID_CHECK_MODE_PARAM)) ) { php_url_free(tmp_url); php_curl_ret(__ret); } php_url_free(tmp_url); }- ---if you have tmp_url = php_url_parse_ex(str, len)where:str = "file://safe_mode_bypass\x00".__FILE__and this function will return:tmp_url->path = __FILE__curl_init() functions checks safemode and openbasedir for tmp_url->path.Not for real path.- ---if (argc > 0) {char *urlcopy;urlcopy = estrndup(Z_STRVAL_PP(url), Z_STRLEN_PP(url));curl_easy_setopt(ch->cp, CURLOPT_URL, urlcopy);zend_llist_add_element(&ch->to_free.str, &urlcopy);}- ---the last step in curl_init() function will only copyfile://safe_mode_bypass to urlcopy.The main problem exists in php_url_parse_ex() function. If you put incurl_init() "file://host/somewhere/path.php", php_url_parse_ex() willselect /somewhere/path.php to path varible. Looks good but it cannot beused, when you will check real path. Using file:///etc/passwd is correctbut between file:// and /etc/passwd, php_url_parse_ex() will select hostand return path to /passwd.Tested in PHP 5.2.4 and PHP 5.2.5 (FreeBSD 6.2R)cxib# php -vPHP 5.2.5 with Suhosin-Patch 0.9.6.2 (cli) (built: Dec 10 2007 19:54:41)(DEBUG)Copyright (c) 1997-2007 The PHP GroupZend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies- --- 2. Exploit ---SecurityReason will not public official exploit for this issue. But it ispossible to read file from another directories like /etc/passwd.- --- 3. How to fix ---CVShttp://cvs.php.net/viewcvs.cgi/php-src/NEWS?revision=1.2027.2.547.2.1047&view=markup- ---Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz.- ---- --- 4. Greets ---sp3x, Infospec, p_e_a, schain, l5x and iliaa- --- 5. Contact ---Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]Email: cxib [at] securityreason [dot] comGPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg [NEW KEY]GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg.old [OLDKEY]http://securityreason.comhttp://securityreason.pl-----BEGIN PGP SIGNATURE-----Version: GnuPG v1.4.5 (FreeBSD)iD8DBQFHlnuFW1OhNJH6DMURAl3gAJ9qkpoJ1D0IPxP7khHgcUKyRaZtZACfS6AvGNPBDDnU6J2LQEaUb7gT/18==WWl5-----END PGP SIGNATURE-----