Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0738 -- [Win][UNIX/Linux]
PHP open_basedir Race Condition Vulnerability
9 October 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: PHP 5
PHP 4
Publisher: Hardened-PHP Project
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Inappropriate Access
Access: Remote/Unauthenticated
Original Bulletin: http://www.hardened-php.net/advisory_082006.132.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hardened-PHP Project
www.hardened-php.net
-= Security Advisory =-
Advisory: PHP open_basedir Race Condition Vulnerability
Release Date: 2006/10/04
Last Modified: 2006/10/04
Author: Stefan Esser [sesser@hardened-php.net]
Application: PHP 4/5
Not affected: PHP with Suhosin Extension 0.9.6
Severity: A design flaw of open_basedir allows bypassing it
with the symlink() function
Risk: Critical
References: http://www.hardened-php.net/advisory_082006.132.html
Overview:
Quote from http://www.php.net
"PHP is a widely-used general-purpose scripting language that
is especially suited for Web development and can be embedded
into HTML."
The design of the open_basedir feature of PHP that is meant to
disallow access to files outside a set of configured directories
is vulnerable to race conditions.
It was discovered that this design flaw can be exploited with
the usage of PHP's symlink() function in a very easy way.
We believe that the only solution to this problem is disabling
the function symlink() while open_basedir is used (this feature
was therefore added to our Suhosin PHP Security Extension).
Fixing the flaw in the open_basedir design seems infeasible
because there is no way to fix the potential race condition
when accessing the file is done within an external library.
The successful exploitation of this vulnerability allows access
to files normally not accessible due to the open_basedir
restriction.
Details:
PHP's open_basedir feature is meant to disallow scripts to access
files outside a set of configured base directories. The checks
for this are placed within PHP functions dealing with files before
the actual open call is performed.
Obviously there is a little span of time between the check and the
actual open call. During this time span the checked path could
have been altered and point to a file that is forbidden to be
accessed due to open_basedir restrictions.
Because the open_basedir restrictions often not call PHP functions
but 3rd party library functions to actually open the file it is
impossible to close this time span in a general way. It would only
be possible to close it when PHP handles the actual opening on it's
own.
While it seems hard to change the path during this little time span
it is very simple with the use of the symlink() function combined
with a little trick. PHP's symlink() function ensures that source
and target of the symlink operation are allowed by open_basedir
restrictions (and safe_mode). However it is possible to point a
symlink to any file by the use of mkdir(), unlink() and at least
two symlinks.
Example (pseudo PHP code):
mkdir("a/a/a/a/a/a");
symlink("a/a/a/a/a/a", "dummy");
symlink("dummy/../../../../../../", "xxx");
unlink("dummy");
symlink(".", "dummy");
After this code sequence "xxx" points to 6 directories up. Having
achieved this it is possible for an attacker to exploit the race
condition by creating 2 PHP scripts.
The first script alternates a symbolic link between a file that
is allowed and the one that is forbidden by open_basedir and the
second script simply puts loops around operations trying to
operate on the symbolic link.
The result is that sometimes in the loop the race is lost and the
operation is performed on the allowed file, sometimes it just
produces errors, because the symlink was deleted and sometimes it
triggers the open_basedir error-message. However sooner or later
the race will be won and the operation is performed on the file
that is actually forbidden due to open_basedir restrictions.
Proof of Concept:
The Hardened-PHP Project is not going to release exploits for
this vulnerability to the public.
Disclosure Timeline:
02. October 2006 - Notified security@php.net
04. October 2006 - Public Disclosure
Recommendation:
Because the design flaw cannot be solved it is strongly recommended
to disable the symlink() function if you are using the open_basedir
feature. You can achieve that by adding symlink to the list of
disabled functions within your php.ini
disable_functions=...,symlink
Additionally you should start thinking about not relying on PHP's
open_basedir and safe_mode restrictions but on actual operating
system features like chroots and jails, because open_basedir and
safe_mode are simply insecure by design.
As usual we also strongly recommend to install the latest version
of our Suhosin Extension. The current version 0.9.6 disallows
symlink() while open_basedir is used by default. Additionally it
comes with configurable function black- and white-lists that
can work (unlike disable_functions) on a per virtual host basis.
Grab your copy and more information at:
http://www.hardened-php.net/suhosin/index.html
GPG-Key:
http://www.hardened-php.net/hardened-php-signature-key.asc
pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1
Copyright 2006 Stefan Esser. All rights reserved.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFFIo/JRDkUzAqGSqERAn+rAJ93dWhQbji9U+eDE5dMg1zW4oW1TgCgpeBK
vozA1xGe6310M1CFM9OIJSw=
=I0fJ
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRSmmZyh9+71yA2DNAQI9MgP/ZG7xz5Y+qAOD3cK3Ue7nCrNz1joypcEU
qDfMSTwPPshlaeewi2yWWArFNV52Z7vizuZMF4b++WDpgrtzHT2YYILscwWUYG9O
xDz535uqHiZviZqXo+ICMEmHIuP7liEqYLl8K9MLwVltmbp6Eb6UlkW00Zc9lrt5
ZikxBfP4aiQ=
=k9gf
-----END PGP SIGNATURE-----