PHP cURL 'safe mode'安全绕过漏洞

BUGTRAQ ID: 27413
CVE ID:CVE-2007-4850
CNCVE ID:CNCVE-20074850

PHP是一款流行的网络编程语言。
PHP cURL存在’safe mode’安全绕过问题，远程攻击者可以利用漏洞访问受限制文件，获得敏感信息。
var_dump(curl_exec(curl_init("file://safe_mode_bypass\x00&qu
ot;.FILE)));
is caused by error in curl/interface.c

---

#define PHP_CURL_CHECK_OPEN_BASEDIR(str, len,
__ret) if (((PG(open_basedir) && *PG(open_basedir)) ||
PG(safe_mode)) &&
strncasecmp(str, "file:",
sizeof("file:") - 1) == 0) { php_url *tmp_url; if (!(tmp_url = php_url_parse_ex(str, len))) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid URL
‘%s’", str); php_curl_ret(__ret); } if (!php_memnstr(str, tmp_url->path,
strlen(tmp_url->path), str + len)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL ‘%s’
contains unencoded control characters", str); php_url_free(tmp_url); php_curl_ret(__ret); } if (tmp_url->query || tmp_url->fragment ||
php_check_open_basedir(tmp_url->path TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(tmp_url->path,
"rb+", CHECKUID_CHECK_MODE_PARAM)) ) { php_url_free(tmp_url); php_curl_ret(__ret); } php_url_free(tmp_url); }

---

如果tmp_url = php_url_parse_ex(str, len)：
str = "file://safe_mode_bypass\x00".FILE

并且此函数返回：
tmp_url->path = FILE
curl_init()函数检查tmp_url->path的safemode和openbasedir。不是实际路径：

Details : SecurityReason Advisory

Topic : PHP 5.2.5 cURL safe_mode bypass
SecurityAlert : 51
CVE : CVE-2007-4850
SecurityRisk : Medium alert
Remote Exploit : No
Local Exploit : Yes
Exploit Given : No
Credit : Maksymilian Arciemowicz
Date : 22.01.2008

Affected Software : PHP 5.2.5 and 5.2.4

Advisory Text :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[PHP 5.2.5 cURL safe_mode bypass ]

Author: Maksymilian Arciemowicz (cXIb8O3)
SecurityReason
Date:

• • Written: 21.08.2007
• • Public: 22.01.2008

SecurityReason Research
SecurityAlert Id: 51

CVE: CVE-2007-4850
SecurityRisk: Medium

Affected Software: PHP 5.2.4 and 5.2.5
Advisory URL:
http://securityreason.com/achievement_securityalert/51
Vendor: http://www.php.net

• — 0.Description —

PHP is an HTML-embedded scripting language. Much of its syntax is
borrowed from C, Java and Perl with a couple of unique
PHP-specific features thrown in. The goal of the language is to
allow web developers to write dynamically generated pages
quickly.

PHP supports libcurl, a library created by Daniel Stenberg, that
allows you to connect and communicate to many different types of
servers with many different types of protocols. libcurl currently
supports the http, https, ftp, gopher, telnet, dict, file, and
ldap protocols. libcurl also supports HTTPS certificates, HTTP
POST, HTTP PUT, FTP uploading (this can also be done with PHP’s
ftp extension), HTTP form based upload, proxies, cookies, and
user+password authentication.

These functions have been added in PHP 4.0.2.

• — 1. cURL —
  This is very similar to CVE-2006-2563.

http://securityreason.com/achievement_securityalert/39

The first issue [SAFE_MODE bypass]

var_dump(curl_exec(curl_init("file://safe_mode_bypass\x00&qu
ot;.FILE)));

is caused by error in curl/interface.c

---

#define PHP_CURL_CHECK_OPEN_BASEDIR(str, len,
__ret) if (((PG(open_basedir) && *PG(open_basedir)) ||
PG(safe_mode)) &&
strncasecmp(str, "file:",
sizeof("file:") - 1) == 0) { php_url *tmp_url; if (!(tmp_url = php_url_parse_ex(str, len))) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid URL
‘%s’", str); php_curl_ret(__ret); } if (!php_memnstr(str, tmp_url->path,
strlen(tmp_url->path), str + len)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL ‘%s’
contains unencoded control characters", str); php_url_free(tmp_url); php_curl_ret(__ret); } if (tmp_url->query || tmp_url->fragment ||
php_check_open_basedir(tmp_url->path TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(tmp_url->path,
"rb+", CHECKUID_CHECK_MODE_PARAM)) ) { php_url_free(tmp_url); php_curl_ret(__ret); } php_url_free(tmp_url); }

---

if you have tmp_url = php_url_parse_ex(str, len)
where:

str = "file://safe_mode_bypass\x00".FILE

and this function will return:

tmp_url->path = FILE

curl_init() functions checks safemode and openbasedir for
tmp_url->path. Not for real path.

---

if (argc > 0) {
char *urlcopy;
urlcopy = estrndup(Z_STRVAL_PP(url), Z_STRLEN_PP(url));
curl_easy_setopt(ch->cp, CURLOPT_URL, urlcopy);
zend_llist_add_element(&ch->to_free.str, &urlcopy);
}

---

最后一步curl_init()函数只拷贝file://safe_mode_bypass到urlcopy。
主要问题存在于php_url_parse_ex()函数中，如果curl_init() "file://host/somewhere/path.php"，php_url_parse_ex()就会选择/somewhere/path.php到路径变量，看起来不错，但不能使用，当你检查实际路径时，使用file:///etc/passwd是正确的，但是会在file://和/etc/passwd之间，php_url_parse_ex()会选择主机和返回路径给/passwd。

PHP PHP 5.2.5
PHP PHP 5.2.4
可参考如下补丁程序：
<a href=“http://cvs.php.net/viewcvs.cgi/php-src/NEWS?revision=1.2027.2.547” target=“_blank”>http://cvs.php.net/viewcvs.cgi/php-src/NEWS?revision=1.2027.2.547</a>
.2.1047&view=markup