#49026 [Com]: proc_open bypass _env_vars restrictions

Thu, 23 Jul 2009 02:10:35 -0700 

 ID:               49026
 Comment by:       virus at tgu dot ru
 Reported By:      virus at tgu dot ru
 Status:           Open
 Bug Type:         Safe Mode/open_basedir
 Operating System: FreeBSD
 PHP Version:      5.2.10
 New Comment:

I think $env parameter of proc_open() should be disabled in safe_mode.


Previous Comments:
------------------------------------------------------------------------

[2009-07-23 08:36:28] virus at tgu dot ru

Description:
------------
Environment variables specified for proc_open passed without check so
safe_mode_allowed_env_vars and safe_mode_protected_env_vars settings are
ignored.
So it become possible to use buffer overflow exploit with
"LD_PRELOAD=evil_library.so" to bypass safe_mode restrictions and get
access to any files acessible for apache uid.

In php.ini:
safe_mode = On
safe_mode_gid = On
safe_mode_include_dir =
safe_mode_exec_dir = /usr/bin/safe
safe_mode_allowed_env_vars = PHP_
safe_mode_protected_env_vars = LD_LIBRARY_PATH


Reproduce code:
---------------
<?
putenv("BLAHBLAH=123");
putenv("LD_LIBRARY_PATH=/no/way");
putenv("PHP_TESTVAR=allowed");
$env = array('BLAHBLAH' => '123', 'LD_LIBRARY_PATH' => '/no/way',
'PHP_TESTVAR' => 'allowed');
$dptspec = array(0 => array("pipe", "r"),
                 1 => array("pipe", "w"));
$fp = proc_open('env', $dptspec, $pipes, './', $env);
echo "<pre>";
while(!feof($pipes[1])) echo fgets($pipes[1], 1024);
fclose($pipes[1]);
echo "</pre>";
?>

Expected result:
----------------
Warning: putenv() [function.putenv]: Safe Mode warning: Cannot set
environment variable 'BLAHBLAH' - it's not in the allowed list in
/my/path/test.php on line 2

Warning: putenv() [function.putenv]: Safe Mode warning: Cannot override
protected environment variable 'LD_LIBRARY_PATH' in /my/path/test.php on
line 3

PHP_TESTVAR=allowed
PWD=/my/path

Actual result:
--------------
Warning: putenv() [function.putenv]: Safe Mode warning: Cannot set
environment variable 'BLAHBLAH' - it's not in the allowed list in
/my/path/test.php on line 2

Warning: putenv() [function.putenv]: Safe Mode warning: Cannot override
protected environment variable 'LD_LIBRARY_PATH' in /my/path/test.php on
line 3

LD_LIBRARY_PATH=/no/way
PHP_TESTVAR=allowed
BLAHBLAH=123
PWD=/my/path


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=49026&edit=1

Reply via email to