[UNIX] PHP Multibyte Shell Command Escaping Bypass Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



PHP Multibyte Shell Command Escaping Bypass Vulnerability
------------------------------------------------------------------------


SUMMARY

"PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML."
Several PHP shell locales with support for east asian variable width
encodings allow bypassing PHP's shell command escaping functions,
safe_mode and disable_functions.

DETAILS

Vulnerable Systems:
* PHP 5 version 5.2.5
* PHP 4 version 4.4.8

Immune Systems:
* PHP 5 version 5.2.6

In PHP there exist two functions to escape shell commands or arguments to
shell commands that are used in PHP applications to protect against shell
command injection vulnerabilities.
- escapeshellcmd()
- escapeshellarg()

Unfortunately it was discovered that both functions fail to protect
against shell command injection when the shell uses a locale with a
variable width character set like GBK, EUC-KR, SJIS, ..

This can lead to arbitrary shell command injection vulnerabilities in PHP
applications believed to be safe. In addition to that exploiting this
problem in PHP functions that use this shell escaping internally allows
safe_mode and disable_functions bypass.

Details:
escapeshellcmd()
escapeshellcmd() will put a single backslash character in front of every
shell meta character like ; $ < > ... to escape it. This function is
normally used to ensure that only a single shell command is executed and
that it is not possible to append further shell commands.

The problem is that the backslash character is a legal second byte of
several variable width encodings. Because of this a shell that is for
example configured to use a locale with the GBK character set will
consider the introduced backslash as part of a multibyte character instead
of an escaping of following meta character.

Example:
escapeshellcmd("echo ".chr(0xc0).";id");

Executing the result of this will therefore result in echo and id being
executed.

escapeshellarg()
escapeshellarg() does not use the backslash character to escape shell meta
characters. Instead it places the argument in single quotes and only
escapes single quotes in the qrgument with the string '\'' . Because of
this it is not possible to use the same trick. However in case there are
multiple inputs it is possible to "eat" the terminating single quote which
results in a shell command injection through the second argument.

Example:
$arg1 = chr(0xc0);
$arg2 = "; id ; #";
$cmd = "echo ".escapeshellarg($arg1)." ".escapeshellarg($arg2);

In this example the 0xC0 character forms a multibyte character with the
terminating single quote. Therefore the starting single quote of $arg2
will be used as terminating single quote and the content of $arg2 can be
used to inject everything.

NOTE: This attack works because even invalid second byte characters are
accepted on several platforms as valid.

safe_mode_exec_dir bypass
Because of the vulnerability described above, it is possible to bypass the
safe_mode_exec_dir directive of PHP. This directive is supposed to ensure
that only shell commands within the allowed directory can be executed.

This attack is however only feasible when the shell uses one of the
vulnerable locales, because during safe_mode it is not possible to set the
LANG environment variable that would influence the shell.

mail() fifth parameter - disable_functions bypass
Because of the vulnerability described above, it is possible to execute
arbitrary shell commands on a system even when all shell execution
functions like shell_exec(), system(), ... are disabled by the
disable_functions directive, but mail() is still allowed. This attack
relies on the fact that the fifth mail() parameter is used as argument to
the sendmail binary and escaped with escapeshellcmd() internally to ensure
that no further shell commands are appended.

Because PHP scripts can influence the locale of the shell (unless running
in safe_mode) this attack allows bypassing the setting of
disable_functions when a vulnerable locale is installed on the system. In
case the system's shell does not support one of the vulnerable character
sets the attack is not feasible.

Disclosure Timeline:
07. March 2008 - Notified security@xxxxxxx
01. May 2008 - PHP developers released PHP 5.2.6
06. May 2008 - Public Disclosure

Recommendation:
It is recommended to upgrade to the latest version of PHP which also fixes
additional vulnerabilities reported by third parties.

Grab your copy at: <http://www.php.net/downloads.php>
http://www.php.net/downloads.php


ADDITIONAL INFORMATION

The information has been provided by <mailto:stefan.esser@xxxxxxxxxxxxxx>
Stefan Esser.
The original article can be found at:
<http://www.sektioneins.de/advisories/SE-2008-03.txt>
http://www.sektioneins.de/advisories/SE-2008-03.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.