6765427 2001-07-18 02:53 +0200 /28 rader/ Laurent Sintes <sintes@nfrance.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-18 18:28 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18068>
Extra kopia: PHP (-) erfarenhetsutbyte <231>
Sänt: 2001-07-18 19:25
Sänt av Mathias Hansson (banana seats for grease monkeys)
Ärende: php mail function bypass safe_mode restriction
------------------------------------------------------------
From: Laurent Sintes <sintes@nfrance.com>
To: bugtraq@securityfocus.com
Message-ID: <20010718025357.A19592@albertine.nfrance.com>
php mail() function does not do check for escape shell commandes,
even if php is running in safe_mode.
So it's may be possible to bypass the safe_mode restriction and gain
shell access.
Affected:
php4.0.6
php4.0.5
Significatives lines of ext/standard/mail.c:
>extra_cmd = (*argv[4])->value.str.val;
>strcat (sendmail_cmd, extra_cmd);
>sendmail = popen(sendmail_cmd, "w");
Exploit:
mail("toto@toto.com",
"test",
"test",
"test",
"; shell_cmd");
(6765427) /Laurent Sintes <sintes@nfrance.com>/-----
Kommentar i text 6765813 av Salim Gasmi <salim@sdv.fr>
6765813 2001-07-18 19:07 +0200 /51 rader/ Salim Gasmi <salim@sdv.fr>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-18 20:22 av Brevbäraren
Extern mottagare: Laurent Sintes <sintes@nfrance.com>
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18082>
Kommentar till text 6765427 av Laurent Sintes <sintes@nfrance.com>
Ärende: Re: php mail function bypass safe_mode restriction
------------------------------------------------------------
From: Salim Gasmi <salim@sdv.fr>
To: Laurent Sintes <sintes@nfrance.com>, bugtraq@securityfocus.com
Message-ID: <5.1.0.14.0.20010718190033.033ce8c0@panoramix.sdv.fr>
At 18/07/2001 02:53, Laurent Sintes wrote:
>php mail() function does not do check for escape shell commandes,
>even if php is running in safe_mode.
>
>So it's may be possible to bypass the safe_mode restriction and gain
>shell access.
>
>Affected:
>php4.0.6
>php4.0.5
>
>Significatives lines of ext/standard/mail.c:
>
> >extra_cmd = (*argv[4])->value.str.val;
> >strcat (sendmail_cmd, extra_cmd);
> >sendmail = popen(sendmail_cmd, "w");
>
>Exploit:
>mail("toto@toto.com",
> "test",
> "test",
> "test",
> "; shell_cmd");
I confirm, this works ...
A very trivial patch if like me you cannot disable the mail()
function is to:
Add this line: extra_cmd=NULL;
in file ext/standard/mail.c, (line #152, juste before if (extra_cmd !=
NULL) { ) :
and recompile php.
This will force the parameter extra_cmd to NULL and thus disabling
the bug.
This is a fast and trivial patch, the right way is to unescape all
characters in extra_cmd.
Salim
***************************************************
Gasmi Salim - SdV Plurimedia <http://www.sdv.fr>
Directeur technique / C.T.O
PGP Key available at: http://www.gasmi.net/pgp.txt
***************************************************
(6765813) /Salim Gasmi <salim@sdv.fr>/----(Ombruten)
Kommentar i text 6770271 av Laurent Sintes <sintes@nfrance.com>
6770271 2001-07-18 20:03 +0200 /21 rader/ Laurent Sintes <sintes@nfrance.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-19 18:32 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18111>
Kommentar till text 6765813 av Salim Gasmi <salim@sdv.fr>
Ärende: Re: php mail function bypass safe_mode restriction
------------------------------------------------------------
From: Laurent Sintes <sintes@nfrance.com>
To: bugtraq@securityfocus.com
Message-ID: <20010718200339.A19480@albertine.nfrance.com>
> Add this line: extra_cmd=NULL;
> in file ext/standard/mail.c, (line #152, juste before if (extra_cmd !=
> NULL) { ) :
> and recompile php.
You can also use extra_cmd = php_escape_shell_cmd(extra_cmd);
to unescape all characters.
In latest CVS you can see
extra_cmd = php_escape_shell_arg(Z_STRVAL_PP(argv[4]));
But it is not a suffisant check because php_escape_shell_arg
does not escape all charaters.
See ext/standard/exec.c for php_escape_shell_* code.
(6770271) /Laurent Sintes <sintes@nfrance.com>/-----
6770331 2001-07-18 18:03 +0000 /26 rader/ Laurent Sintes <sintes@nfrance.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-19 18:49 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18114>
Ärende: Re: php mail function bypass safe_mode restriction
------------------------------------------------------------
From: Laurent Sintes <sintes@nfrance.com>
To: bugtraq@securityfocus.com
Message-ID: <05256A8E.005DD0B2.00@mail.awiweb.com>
> Add this line: extra_cmd=NULL;
> in file ext/standard/mail.c, (line #152, juste before if (extra_cmd !=
> NULL) { ) :
> and recompile php.
You can also use extra_cmd = php_escape_shell_cmd(extra_cmd);
to unescape all characters.
In latest CVS you can see
extra_cmd = php_escape_shell_arg(Z_STRVAL_PP(argv[4]));
But it is not a suffisant check because php_escape_shell_arg
does not escape all charaters.
See ext/standard/exec.c for php_escape_shell_* code.
(6770331) /Laurent Sintes <sintes@nfrance.com>/-----
Kommentar i text 6770833 av Jon Ribbens <jon+bugtraq@unequivocal.co.uk>
6770833 2001-07-19 20:05 +0100 /14 rader/ Jon Ribbens <jon+bugtraq@unequivocal.co.uk>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-19 21:32 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18136>
Kommentar till text 6770331 av Laurent Sintes <sintes@nfrance.com>
Ärende: Re: php mail function bypass safe_mode restriction
------------------------------------------------------------
From: Jon Ribbens <jon+bugtraq@unequivocal.co.uk>
To: bugtraq@securityfocus.com
Message-ID: <20010719200545.D6312@snowy.squish.net>
Laurent Sintes <sintes@nfrance.com> wrote:
> extra_cmd = php_escape_shell_arg(Z_STRVAL_PP(argv[4]));
>
> But it is not a suffisant check because php_escape_shell_arg
> does not escape all charaters.
False. escape_shell_arg will successfully escape all characters from
shells.
(6770833) /Jon Ribbens <jon+bugtraq@unequivocal.co.uk>/
6770564 2001-07-19 01:43 -0400 /60 rader/ Stuart Moore <info@securitytracker.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-19 19:59 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: sintes@nfrance.com
Mottagare: Bugtraq (import) <18131>
Ärende: Re: php mail function bypass safe_mode restriction
------------------------------------------------------------
From: Stuart Moore <info@securitytracker.com>
To: bugtraq@securityfocus.com, sintes@nfrance.com
Message-ID: <3B567368.233FE64@securitytracker.com>
Hi. I might be having a case of deja vu, because this problem sounds
familiar. Is this problem different from the one posted by Joost Pol
< joost@contempt.nl > on Sat Jun 30 2001 12:40:06 ("php breaks safe
mode")? In that one, a problem with an extra 5th parameter that was
added to the mail() command and broke safemode was described,
affecting 4.0.5.
See: http://www.securityfocus.com/bid/2954
Also, from January 2000 there was a report of a problem in PHP 3 where
the popen() command, used by mail(), fails to be applied to the
EscapeShellCmd() command.
See: http://www.securityfocus.com/bid/911
So, is the problem w/ popen() or with mail()?
Stuart
----------------------------
Stuart Moore
SecurityTracker.com
SecurityGlobal.net LLC
smoore @ securityglobal.net
----------------------------
-----------------------------------------------------------------
php mail() function does not do check for escape shell commandes,
even if php is running in safe_mode.
So it's may be possible to bypass the safe_mode restriction and gain
shell access.
Affected:
php4.0.6
php4.0.5
Significatives lines of ext/standard/mail.c:
>extra_cmd = (*argv[4])->value.str.val;
>strcat (sendmail_cmd, extra_cmd);
>sendmail = popen(sendmail_cmd, "w");
Exploit:
mail("toto@toto.com",
"test",
"test",
"test",
"; shell_cmd");
-----------------------------------------------------------------
(6770564) /Stuart Moore <info@securitytracker.com>/(Ombruten)