[CVE-2006-1608] copy() Safe Mode Bypass

Debian Bug report logs - #361856
[CVE-2006-1608] copy() Safe Mode Bypass

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Oliver Paulus <oliver@code-project.org>

To: submit@bugs.debian.org

Subject: copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2

Date: Mon, 10 Apr 2006 23:17:52 +0200

[Message part 1 (text/plain, inline)]

Package: php4
Version: 4:4.3.10-16
Severity: grave

for more informaton see:
http://securityreason.com/achievement_securityalert/37

-- 
Oliver Paulus

OpenPGP
Key id: 28D9C44F
Fingerprint: EADA 62FC 07DC 3361 A3D6  4174 2DE3 C027 28D9 C44F
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x28D9C44F

[Message part 2 (application/pgp-signature, inline)]

Message #12 received at 361856@bugs.debian.org (full text, mbox, reply):

From: Ondrej Sury <ondrej@sury.org>

To: 361856@bugs.debian.org

Subject: Re: [php-maint] Bug#361856: copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2

Date: Tue, 11 Apr 2006 09:59:07 +0200

[Message part 1 (text/plain, inline)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 2.4.2006
- -Public: 8.4.2006
from SECURITYREASON.COM
CVE-2006-1608

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is
borrowed from C, Java and
Perl with a couple of unique PHP-specific features thrown in. The goal
of the language is to
allow web developers to write dynamically generated pages quickly.

A nice introduction to PHP by Stig Sæther Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much
of the PHP Conference
Material is freely available. 

The PHP safe mode is an attempt to solve the shared-server security
problem. It is
architecturally incorrect to try to solve this problem at the PHP level,
but since the
alternatives at the web server and OS levels aren't very realistic, many
people, especially
ISP's, use safe mode for now.

- --- 1. Safe Mode Bypass ---
General problem exists in safe mode function, because safe mode accept
path like
"compress.zlib://". 

PHP442 File "main/safe_mode.c"
- -78-80---
wrapper = php_stream_locate_url_wrapper(filename, NULL,
STREAM_LOCATE_WRAPPERS_ONLY
TSRMLS_CC);
if (wrapper != NULL)
return 1;
- -78-80---

if php_stream_locate_url_wrapper() return something.. safe mode is going
to stop.
Let`s see the function php_stream_locate_url_wrapper().

PHP442 File "main/streams.c"

- -2522-2588---
PHPAPI php_stream_wrapper *php_stream_locate_url_wrapper(const char
*path, char
**path_for_open, int options TSRMLS_DC)
{
HashTable *wrapper_hash = (FG(stream_wrappers) ? FG(stream_wrappers) :
&url_stream_wrappers_hash);
php_stream_wrapper *wrapper = NULL;
const char *p, *protocol = NULL;
int n = 0;

if (path_for_open)
*path_for_open = (char*)path;

if (options & IGNORE_URL)
return (options & STREAM_LOCATE_WRAPPERS_ONLY) ? NULL :
&php_plain_files_wrapper;

for (p = path; isalnum((int)*p) || *p == '+' || *p == '-' || *p == '.';
p++) {
n++;
}

if ((*p == ':') && (n > 1) && !strncmp("://", p, 3)) {
protocol = path;
} else if (strncasecmp(path, "zlib:", 5) == 0) {
/* BC with older php scripts and zlib wrapper */
protocol = "compress.zlib";
n = 13;
if (options & REPORT_ERRORS) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Use of \"zlib:\" wrapper is
deprecated; please use \"compress.zlib://\" instead.");
}
}

if (protocol) {
if (FAILURE == zend_hash_find(wrapper_hash, (char*)protocol, n,
(void**)&wrapper)) {
char wrapper_name[32];

if (options & REPORT_ERRORS) {
if (n >= sizeof(wrapper_name))
n = sizeof(wrapper_name) - 1;
PHP_STRLCPY(wrapper_name, protocol, sizeof(wrapper_name), n);

php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unable to find the wrapper
\"%s\" - did you forget to enable it when you configured PHP?",
wrapper_name);
}

wrapper = NULL;
protocol = NULL;
}
}
/* TODO: curl based streams probably support file:// properly */
if (!protocol || !strncasecmp(protocol, "file", n)) {
if (protocol && path[n+1] == '/' && path[n+2] == '/') {
if (options & REPORT_ERRORS)
php_error_docref(NULL TSRMLS_CC, E_WARNING, "remote host file access not
supported,
%s", path);
return NULL;
}
if (protocol && path_for_open)
*path_for_open = (char*)path + n + 1;

/* fall back on regular file access */
return (options & STREAM_LOCATE_WRAPPERS_ONLY) ? NULL :
&php_plain_files_wrapper;
}

if (wrapper && wrapper->is_url && !PG(allow_url_fopen)) {
if (options & REPORT_ERRORS)
php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL file-access is disabled
in the
server configuration");
return NULL;
}

return wrapper;
}
- -2522-2588---

So if you use in your path (for example "compress.zlib://"), function
php_stream_locate_url_wrapper() return something variable and safe mode
return 1.

Let's see now the source of function copy().

PHP442: ext/standard/file.c

- -2114-2138---
PHP_FUNCTION(copy)
{
zval **source, **target;

if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &source, &target)
== FAILURE)
{
WRONG_PARAM_COUNT;
}

convert_to_string_ex(source);
convert_to_string_ex(target);

if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(source), NULL,
CHECKUID_CHECK_FILE_AND_DIR))) {
RETURN_FALSE;
}

if (php_check_open_basedir(Z_STRVAL_PP(source) TSRMLS_CC)) {
RETURN_FALSE;
}

if (php_copy_file(Z_STRVAL_PP(source), Z_STRVAL_PP(target)
TSRMLS_CC)==SUCCESS) {
RETURN_TRUE;
} else {
RETURN_FALSE;
}
}
- -2114-2138---

http://pl2.php.net/manual/en/function.copy.php

Description
bool copy ( string source, string dest )

example:
copy("compress.zlib:///etc/passwd", "/home/cxib/to/bandyta/passwd.txt");

safe mode return 1 and skip security.

if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(source), NULL,
CHECKUID_CHECK_FILE_AND_DIR))) {
RETURN_FALSE;
}

return true.

Rest functions have checking safe_mode without path and safe mode works.
I don't have tested
all functions in php ;].

- --- 2. How to fix ---
CVS
http://cvs.php.net/viewcvs.cgi/php-src/NEWS

- --- 3. Exploit ---
http://securityreason.com/achievement_exploitalert/8

- --- 4. Greets ---

For: sp3x
and
p_e_a, eax, Infospec

- --- 5. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFEOAu93Ke13X/fTO4RApXzAKC4OuM/3vn8kyw+EP2R8YVYyH9gkgCcDCMj
2dB55e2x6sPGBJW+w9Kw/OY=
=Lfuk
-----END PGP SIGNATURE-----
-- 
Ondrej Sury <ondrej@sury.org>

[signature.asc (application/pgp-signature, inline)]

Message #23 received at 361856-done@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Oliver Paulus <oliver@code-project.org>, 361854-done@bugs.debian.org, 361855-done@bugs.debian.org, 361856-done@bugs.debian.org, 361853-done@bugs.debian.org

Subject: Re: Bug#361854: function *() php/apache Crash PHP 4.4.2 and 5.1.2

Date: Mon, 10 Apr 2006 22:01:02 -0700

[Message part 1 (text/plain, inline)]

Version: 4:4.4.2-1
severity 361854 important
severity 361855 important
severity 361856 important
thanks

On Mon, Apr 10, 2006 at 11:14:43PM +0200, Oliver Paulus wrote:
> for more informaton see:
> http://securityreason.com/achievement_securityalert/34

On Mon, Apr 10, 2006 at 11:14:43PM +0200, Oliver Paulus wrote:
> for more informaton see:
> http://securityreason.com/achievement_securityalert/35

On Mon, Apr 10, 2006 at 11:16:11PM +0200, Oliver Paulus wrote:
> for more informaton see:
> http://securityreason.com/achievement_securityalert/36

On Mon, Apr 10, 2006 at 11:17:52PM +0200, Oliver Paulus wrote:

> for more informaton see:
> http://securityreason.com/achievement_securityalert/37

It is my understanding that all of these bugs are fixed in the etch version
of php4; I'm accordingly marking them as closed.

In addition, except for the cross-site scripting bug, none of these appear
to warrant severity: grave.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

[signature.asc (application/pgp-signature, inline)]

Message #28 received at 361856@bugs.debian.org (full text, mbox, reply):

From: Allard Hoeve <allard@byte.nl>

To: Debian Bug Tracking System <361856@bugs.debian.org>

Cc: Steve Langasek <vorlon@debian.org>

Subject: Re: Bug#361856: marked as done (copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2)

Date: Tue, 11 Apr 2006 15:19:09 +0200 (CEST)

Hello Steve,

> #361853
> #361854
> #361855
> #361856
>
> It is my understanding that all of these bugs are fixed in the etch 
> version of php4; I'm accordingly marking them as closed.

But these issues are not yet fixed in the sarge version. Shouldn't they be 
fixed there?

Regards,

Allard Hoeve

Message #39 received at 361856@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Allard Hoeve <allard@byte.nl>, 361856@bugs.debian.org

Subject: Re: Bug#361856: marked as done (copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2)

Date: Tue, 11 Apr 2006 16:46:14 -0700

[Message part 1 (text/plain, inline)]

On Tue, Apr 11, 2006 at 03:19:09PM +0200, Allard Hoeve wrote:

> >#361853
> >#361854
> >#361855
> >#361856

> >It is my understanding that all of these bugs are fixed in the etch 
> >version of php4; I'm accordingly marking them as closed.

> But these issues are not yet fixed in the sarge version. Shouldn't they be 
> fixed there?

Grave-severity security bugs will normally be fixed in stable, yes.
Severity: important security bugs may be fixed at the discretion of the
security team.

Neither factor is a reason not to mark the bugs as fixed in etch if this is
the case.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

[signature.asc (application/pgp-signature, inline)]

Message #48 received at 361856@bugs.debian.org (full text, mbox, reply):

From: Allard Hoeve <allard@byte.nl>

To: 361856@bugs.debian.org

Cc: control@bugs.debian.org

Subject: patch

Date: Wed, 12 Apr 2006 11:01:08 +0200 (CEST)

[Message part 1 (text/plain, inline)]

tags patch
thanks

Dear Maintainers,

This is the patch from CVS (5.1.x) backported to 4.3.10-16.

Please review.

http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/file.c?r1=1.409.2.5&r2=1.409.2.6&pathrev=PHP_5_1

Regards,

Allard

[copy.diff (text/plain, attachment)]

Message #55 received at 361856@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: 361856@bugs.debian.org, control@bugs.debian.org, 361854@bugs.debian.org

Subject: also not fixed in 4.4.2 but in 4.4.3

Date: Mon, 14 Aug 2006 22:47:04 +0200

found 361856 4:4.4.2-1.1
found 361854 4:4.4.2-1.1
thanks

see
http://secunia.com/advisories/19599/
for #361856

http://www.frsirt.com/english/advisories/2006/1290
for #361854

Send a report that this bug log contains spam.