Advisory 03/2008: PHP Multibyte Shell Command Escaping Bypass Vulnerability

                          SektionEins GmbH
                         www.sektioneins.de

                      -= Security  Advisory =-

     Advisory: PHP Multibyte Shell Command Escaping Bypass Vulnerability
 Release Date: 2008/05/06
Last Modified: 2008/05/06
       Author: Stefan Esser [stefan.esser[at]sektioneins.de]

  Application: PHP 5 <= 5.2.5
               PHP 4 <= 4.4.8
     Severity: Several shell locales with support for east asian
               variable width encodings allow bypassing PHP's
               shell command escaping functions, safe_mode and
               disable_functions
         Risk: Medium/High
Vendor Status: Vendor has released PHP 5.2.6 which uses locale
               aware shell command/argument escaping
    Reference: http://www.sektioneins.de/advisories/SE-2008-03.txt

Overview:

   Quote from http://www.php.net
   "PHP is a widely-used general-purpose scripting language that
    is especially suited for Web development and can be embedded
    into HTML."

   In PHP there exist two functions to escape shell commands or
   arguments to shell commands that are used in PHP applications
   to protect against shell command injection vulnerabilities.

      - escapeshellcmd()
      - escapeshellarg()

   Unfortunately it was discovered that both functions fail to
   protect against shell command injection when the shell uses
   a locale with a variable width character set like GBK,
   EUC-KR, SJIS, ..

   This can lead to arbitrary shell command injection vulnerabilities
   in PHP applications believed to be safe. In addition to that
   exploiting this problem in PHP functions that use this shell
   escaping internally allows safe_mode and disable_functions
   bypass.

Details:

   [1] escapeshellcmd()

   escapeshellcmd() will put a single backslash character in front
   of every shell meta character like ; $ < > ... to escape it.
   This function is normally used to ensure that only a single shell
   command is executed and that it is not possible to append further
   shell commands.

   The problem is that the backslash character is a legal second
   byte of several variable width encodings. Because of this a shell
   that is for example configured to use a locale with the GBK
   character set will consider the introduced backslash as part of
   a multibyte character instead of an escaping of following meta
   character.

   Example:
               escapeshellcmd("echo ".chr(0xc0).";id");

   Executing the result of this will therefore result in echo and
   id being executed.

   [2] escapeshellarg()

   escapeshellarg() does not use the backslash character to escape
   shell meta characters. Instead it places the argument in single
   quotes and only escapes single quotes in the qrgument with the
   string '\'' . Because of this it is not possible to use the same
   trick. However in case there are multiple inputs it is possible
   to "eat" the terminating single quote which results in a shell
   command injection through the second argument.

   Example:
      $arg1 = chr(0xc0);
      $arg2 = "; id ; #";
      $cmd = "echo ".escapeshellarg($arg1)." ".escapeshellarg($arg2);

   In this example the 0xC0 character forms a multibyte character
   with the terminating single quote. Therefore the starting single
   quote of $arg2 will be used as terminating single quote and the
   content of $arg2 can be used to inject everything.

   NOTE: This attack works because even invalid second byte characters
         are accepted on several platforms as valid.

   [3] safe_mode_exec_dir bypass

   Because of the vulnerability described in [1] it is possible to
   bypass the safe_mode_exec_dir directive of PHP. This directive
   is supposed to ensure that only shell commands within the allowed
   directory can be executed.

   This attack is however only feasible when the shell uses one of
   the vulnerable locales, because during safe_mode it is not possible
   to set the LANG environment variable that would influence the shell.

   [4] mail() fifth parameter - disable_functions bypass

   Because of the vulnerability described in [1] it is possible to
   execute arbitrary shell commands on a system even when all shell
   execution functions like shell_exec(), system(), ... are disabled
   by the disable_functions directive, but mail() is still allowed.
   This attack relies on the fact that the fifth mail() parameter is
   used as argument to the sendmail binary and escaped with
   escapeshellcmd() internally to ensure that no further shell commands
   are appended.

   Because PHP scripts can influence the locale of the shell (unless
   running in safe_mode) this attack allows bypassing the setting of
   disable_functions when a vulnerable locale is installed on the
   system. In case the system's shell does not support one of the
   vulnerable character sets the attack is not feasible.

Proof of Concept:

   SektionEins GmbH is not going to release a proof of concept
   exploit for this vulnerability.

Disclosure Timeline:

   07. March    2008 - Notified security@php.net
   01. May      2008 - PHP developers released PHP 5.2.6
   06. May      2008 - Public Disclosure

Recommendation:

   It is recommended to upgrade to the latest version of PHP
   which also fixes additional vulnerabilities reported by
   third parties.

   Grab your copy at:

   http://www.php.net/downloads.php

CVE Information:

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   not assigned a name to this vulnerability yet.

GPG-Key:

   pub  1024D/15ABDA78 2004-10-17 Stefan Esser
   Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C  57DD 4AE1 795E 15AB DA78

Copyright 2008 SektionEins GmbH. All rights reserved.