Bug 541239 (CVE-2009-4018)
Summary: | CVE-2009-4018 php: proc_open() safe mode restriction bypass | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED DUPLICATE | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | jorton |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://bugs.php.net/bug.php?id=49026 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-11-25 15:25:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Lieskovsky
2009-11-25 10:56:04 UTC
Reproducer (from upstream bug report): -------------------------------------- In php.ini: safe_mode = On safe_mode_gid = On safe_mode_include_dir = safe_mode_exec_dir = /usr/bin/safe safe_mode_allowed_env_vars = PHP_ safe_mode_protected_env_vars = LD_LIBRARY_PATH Sample PHP script: <? putenv("BLAHBLAH=123"); putenv("LD_LIBRARY_PATH=/no/way"); putenv("PHP_TESTVAR=allowed"); $env = array('BLAHBLAH' => '123', 'LD_LIBRARY_PATH' => '/no/way', 'PHP_TESTVAR' => 'allowed'); $dptspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w")); $fp = proc_open('env', $dptspec, $pipes, './', $env); echo "<pre>"; while(!feof($pipes[1])) echo fgets($pipes[1], 1024); fclose($pipes[1]); echo "</pre>"; ?> Expected result: ---------------- Warning: putenv() [function.putenv]: Safe Mode warning: Cannot set environment variable 'BLAHBLAH' - it's not in the allowed list in /my/path/test.php on line 2 Warning: putenv() [function.putenv]: Safe Mode warning: Cannot override protected environment variable 'LD_LIBRARY_PATH' in /my/path/test.php on line 3 PHP_TESTVAR=allowed PWD=/my/path Actual result: -------------- Warning: putenv() [function.putenv]: Safe Mode warning: Cannot set environment variable 'BLAHBLAH' - it's not in the allowed list in /my/path/test.php on line 2 Warning: putenv() [function.putenv]: Safe Mode warning: Cannot override protected environment variable 'LD_LIBRARY_PATH' in /my/path/test.php on line 3 LD_LIBRARY_PATH=/no/way PHP_TESTVAR=allowed BLAHBLAH=123 PWD=/my/path This issue does NOT affect the versions of the php package, as shipped with Red Hat Enterprise Linux 3 and 4. This issue affects the version of the php package, as shipped with Red Hat Enterprise Linux 5. (In reply to comment #2) > This issue does NOT affect the versions of the php package, as shipped > with Red Hat Enterprise Linux 3 and 4. proc_open only support cwd, env and other_options parameters as of version 5.0: http://www.php.net/manual/en/function.proc-open.php#function.proc-open.changelog This should only be relevant in configurations where safe_mode is on, safe_mode_exec_dir is set to some non-default value (default is /usr/bin, which can be easily bypassed by executing e.g. perl or python), and the command execution functions are not in the disable_functions list. Issue was fixed upstream in 5.2.11 and 5.3.1. *** This bug has been marked as a duplicate of bug 169857 *** Mitre's CVE-2009-4018 record: ----------------------------- The proc_open function in ext/standard/proc_open.c in PHP before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1) safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars directives, which allows context-dependent attackers to execute programs with an arbitrary environment via the env parameter, as demonstrated by a crafted value of the LD_LIBRARY_PATH environment variable. |