[UNIX] PEAR LiveUser Arbitrary File Access

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



PEAR LiveUser Arbitrary File Access
------------------------------------------------------------------------


SUMMARY

<http://pear.php.net/package/LiveUser/> LiveUser is a user authentication
and permission management framework that is part of php's PEAR Library.
LiveUser has many different features, including the ability to remember a
user via cookies.

There is a file access vulnerability in PEAR LiveUser that allows an
attacker to access arbitrary files on the server.

DETAILS

Vulnerable Systems:
* PEAR LiveUser versions 0.16.8 and prior.

There is an issue with how extracted cookie data is handled by the
LiveUser library within the remember feature, which makes it possible for
an attacker to gain access to, and even delete potentially sensitive files
on the webserver.

Arbitrary File Access:
$cookieData = $_COOKIE[$this->_options['cookie']['name']];
if (strlen($cookieData) < 65
// kill all old style remember me cookies
|| (strpos($cookieData, ':') && strpos($cookieData, ':') < 64)
) {
// Delete cookie if it's not valid, keeping it messes up the
// authentication process
$this->deleteRememberCookie();
$this->_stack->push(LIVEUSER_ERROR_COOKIE, 'error', array(),
'Wrong data in cookie store in
LiveUser::readRememberMeCookie()');
return false;
}

$store_id = substr($cookieData, 0, 32);
$passwd_id = substr($cookieData, 32, 32);
$handle = substr($cookieData, 64);

$dir = $this->_options['cookie']['savedir'];

$fh = @fopen($dir . '/' . $store_id . '.lu', 'rb');
if (!$fh) {
$this->deleteRememberCookie();
$this->_stack->push(LIVEUSER_ERROR_CONFIG, 'exception', array(),
'Cannot open file for reading');
return false;
}

$fields = fread($fh, 4096);
fclose($fh);
if (!$fields) {
$this->deleteRememberCookie();
$this->_stack->push(LIVEUSER_ERROR_CONFIG, 'exception', array(),
'Cannot read file');
return false;
}

The above code is taken from LiveUser.php @ lines 1269-1303 and clearly
shows the $store_id variable being assigned unsanitized data, which is
passed to an fopen called shortly thereafter. The good news is that as far
as I can tell this issues can not be abused in a real world scenario much
further than enumerating file existence on the local filesystem.

Arbitrary File Deletion:
Similar to the previously mentioned issue, this vulnerability may allow a
malicious user to delete arbitrary files on the local server by supplying
malicious cookie data.

$cookieData = $_COOKIE[$this->_options['cookie']['name']];
if (strlen($cookieData) < 65) {
$this->_stack->push(LIVEUSER_ERROR_COOKIE, 'error', array(),
'Wrong data in cookie store in
LiveUser::deleteRememberCookie()');
return false;
}

$store_id = substr($cookieData, 0, 32);
@unlink($this->_options['cookie']['savedir'] . '/'.$store_id.'.lu');

The above code is also taken from LiveUser.php and resides @ lines
1343-1351. Here we see user supplied data being used in an unlink call
which could allow an attacker to delete arbitrary files on the local
server by traversing out of the cwd and terminating the fopen call with a
null byte.

Patch Availability:
An updated version of the LiveUser framework has been released to address
these issues.
The current release is LiveUser 0.16.9 and users should update their
LiveUser libraries as soon as possible.


ADDITIONAL INFORMATION

The original article can be found at:
<http://www.gulftech.org/?node=research&article_id=00103-02212006>
http://www.gulftech.org/?node=research&article_id=00103-02212006



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages