SektionEins GmbH www.sektioneins.de -= Security Advisory =- Advisory: PHP Multibyte Shell Command Escaping Bypass Vulnerability Release Date: 2008/05/06 Last Modified: 2008/05/06 Author: Stefan Esser [stefan.esser[at]sektioneins.de] Application: PHP 5 <= 5.2.5 PHP 4 <= 4.4.8 Severity: Several shell locales with support for east asian variable width encodings allow bypassing PHP's shell command escaping functions, safe_mode and disable_functions Risk: Medium/High Vendor Status: Vendor has released PHP 5.2.6 which uses locale aware shell command/argument escaping Reference: http://www.sektioneins.de/advisories/SE-2008-03.txt Overview: Quote from http://www.php.net "PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML." In PHP there exist two functions to escape shell commands or arguments to shell commands that are used in PHP applications to protect against shell command injection vulnerabilities. - escapeshellcmd() - escapeshellarg() Unfortunately it was discovered that both functions fail to protect against shell command injection when the shell uses a locale with a variable width character set like GBK, EUC-KR, SJIS, .. This can lead to arbitrary shell command injection vulnerabilities in PHP applications believed to be safe. In addition to that exploiting this problem in PHP functions that use this shell escaping internally allows safe_mode and disable_functions bypass. Details:  escapeshellcmd() escapeshellcmd() will put a single backslash character in front of every shell meta character like ; $ < > ... to escape it. This function is normally used to ensure that only a single shell command is executed and that it is not possible to append further shell commands. The problem is that the backslash character is a legal second byte of several variable width encodings. Because of this a shell that is for example configured to use a locale with the GBK character set will consider the introduced backslash as part of a multibyte character instead of an escaping of following meta character. Example: escapeshellcmd("echo ".chr(0xc0).";id"); Executing the result of this will therefore result in echo and id being executed.  escapeshellarg() escapeshellarg() does not use the backslash character to escape shell meta characters. Instead it places the argument in single quotes and only escapes single quotes in the qrgument with the string '\'' . Because of this it is not possible to use the same trick. However in case there are multiple inputs it is possible to "eat" the terminating single quote which results in a shell command injection through the second argument. Example: $arg1 = chr(0xc0); $arg2 = "; id ; #"; $cmd = "echo ".escapeshellarg($arg1)." ".escapeshellarg($arg2); In this example the 0xC0 character forms a multibyte character with the terminating single quote. Therefore the starting single quote of $arg2 will be used as terminating single quote and the content of $arg2 can be used to inject everything. NOTE: This attack works because even invalid second byte characters are accepted on several platforms as valid.  safe_mode_exec_dir bypass Because of the vulnerability described in  it is possible to bypass the safe_mode_exec_dir directive of PHP. This directive is supposed to ensure that only shell commands within the allowed directory can be executed. This attack is however only feasible when the shell uses one of the vulnerable locales, because during safe_mode it is not possible to set the LANG environment variable that would influence the shell.  mail() fifth parameter - disable_functions bypass Because of the vulnerability described in  it is possible to execute arbitrary shell commands on a system even when all shell execution functions like shell_exec(), system(), ... are disabled by the disable_functions directive, but mail() is still allowed. This attack relies on the fact that the fifth mail() parameter is used as argument to the sendmail binary and escaped with escapeshellcmd() internally to ensure that no further shell commands are appended. Because PHP scripts can influence the locale of the shell (unless running in safe_mode) this attack allows bypassing the setting of disable_functions when a vulnerable locale is installed on the system. In case the system's shell does not support one of the vulnerable character sets the attack is not feasible. Proof of Concept: SektionEins GmbH is not going to release a proof of concept exploit for this vulnerability. Disclosure Timeline: 07. March 2008 - Notified email@example.com 01. May 2008 - PHP developers released PHP 5.2.6 06. May 2008 - Public Disclosure Recommendation: It is recommended to upgrade to the latest version of PHP which also fixes additional vulnerabilities reported by third parties. Grab your copy at: http://www.php.net/downloads.php CVE Information: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a name to this vulnerability yet. GPG-Key: pub 1024D/15ABDA78 2004-10-17 Stefan Esser Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78 Copyright 2008 SektionEins GmbH. All rights reserved.