-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hardened-PHP Project www.hardened-php.net -= Security Advisory =- Advisory: PHP open_basedir Race Condition Vulnerability
Release Date: 2006/10/04 Last Modified: 2006/10/04 Author: Stefan Esser [email@example.com]
Application: PHP 4/5 Not affected: PHP with Suhosin Extension 0.9.6 Severity: A design flaw of open_basedir allows bypassing it with the symlink() function Risk: Critical References: http://www.hardened-php.net/advisory_082006.132.html
Quote from http://www.php.net "PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML."
The design of the open_basedir feature of PHP that is meant to disallow access to files outside a set of configured directories is vulnerable to race conditions.
It was discovered that this design flaw can be exploited with the usage of PHP's symlink() function in a very easy way. We believe that the only solution to this problem is disabling the function symlink() while open_basedir is used (this feature was therefore added to our Suhosin PHP Security Extension).
Fixing the flaw in the open_basedir design seems infeasible because there is no way to fix the potential race condition when accessing the file is done within an external library.
The successful exploitation of this vulnerability allows access to files normally not accessible due to the open_basedir restriction.
PHP's open_basedir feature is meant to disallow scripts to access files outside a set of configured base directories. The checks for this are placed within PHP functions dealing with files before the actual open call is performed.
Obviously there is a little span of time between the check and the actual open call. During this time span the checked path could have been altered and point to a file that is forbidden to be accessed due to open_basedir restrictions.
Because the open_basedir restrictions often not call PHP functions but 3rd party library functions to actually open the file it is impossible to close this time span in a general way. It would only be possible to close it when PHP handles the actual opening on it's own.
While it seems hard to change the path during this little time span it is very simple with the use of the symlink() function combined with a little trick. PHP's symlink() function ensures that source and target of the symlink operation are allowed by open_basedir restrictions (and safe_mode). However it is possible to point a symlink to any file by the use of mkdir(), unlink() and at least two symlinks.
Example (pseudo PHP code):
mkdir("a/a/a/a/a/a"); symlink("a/a/a/a/a/a", "dummy"); symlink("dummy/../../../../../../", "xxx"); unlink("dummy"); symlink(".", "dummy");
After this code sequence "xxx" points to 6 directories up. Having achieved this it is possible for an attacker to exploit the race condition by creating 2 PHP scripts.
The first script alternates a symbolic link between a file that is allowed and the one that is forbidden by open_basedir and the second script simply puts loops around operations trying to operate on the symbolic link.
The result is that sometimes in the loop the race is lost and the operation is performed on the allowed file, sometimes it just produces errors, because the symlink was deleted and sometimes it triggers the open_basedir error-message. However sooner or later the race will be won and the operation is performed on the file that is actually forbidden due to open_basedir restrictions.
Proof of Concept:
The Hardened-PHP Project is not going to release exploits for this vulnerability to the public.
Because the design flaw cannot be solved it is strongly recommended to disable the symlink() function if you are using the open_basedir feature. You can achieve that by adding symlink to the list of disabled functions within your php.ini
Additionally you should start thinking about not relying on PHP's open_basedir and safe_mode restrictions but on actual operating system features like chroots and jails, because open_basedir and safe_mode are simply insecure by design.
As usual we also strongly recommend to install the latest version of our Suhosin Extension. The current version 0.9.6 disallows symlink() while open_basedir is used by default. Additionally it comes with configurable function black- and white-lists that can work (unlike disable_functions) on a per virtual host basis.
Grab your copy and more information at:
pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1
Copyright 2006 Stefan Esser. All rights reserved.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFFIo/JRDkUzAqGSqERAn+rAJ93dWhQbji9U+eDE5dMg1zW4oW1TgCgpeBK vozA1xGe6310M1CFM9OIJSw= =I0fJ -----END PGP SIGNATURE-----