PHP :: Bug #21790 :: 0-Byte-Problem

Bug #21790	0-Byte-Problem
Submitted:	2003-01-21 00:35 UTC	Modified:	2003-01-21 10:10 UTC
From:	ritze at meinscheissname dot de	Assigned:
Status:	Not a bug	Package:	*General Issues
PHP Version:	4.3.0	OS:	Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	ritze at meinscheissname dot de
New email:
PHP Version:		OS:

New/Additional Comment:

[2003-01-21 00:35 UTC] ritze at meinscheissname dot de

I read this Mail from Ian Clelland on bugtraq@securityfocus.com. And I think, this is a problem, that should be fixed.

On Thu, Jan 16, 2003 at 12:07:12AM +0100, Nicob wrote:

>> On Sun, 2003-01-12 at 16:03, sonyy@2vias.com.ar wrote:
>
>>> > index.php :
>>> >            $cfg_file = "${cfg_dir}/${bn}.${ext}";
>>> >
>>> > http://www.w-agora.net/current/index.php?site=demos&bn=../../../../../../../../../../etc/passwd%00
>>> > http://www.w-agora.net/current/modules.php?mod=fm&file=../../../../../../../../../../etc/passwd%00&bn=fm_d1
>
>> 
>> AFAIK, the Null-byte attack doesn't work with PHP. It works with Perl
>> and some Java apps, yes, but not PHP ...

PHP strings in general are stored with their lengths, and can contain
arbitrary binary data (unlike, say, C). Within PHP, strings containing
null bytes are safe to use.

The problem here is that PHP will often pass PHP-function-parameters
unchecked directly to the lower-level C library functions.

PHP may handle a filename like '/etc/passwd\x00.ext' just fine, but if
it passes the address of that string to fopen(), then the C function
will treat the argument as a null-terminated string, and open
/etc/passwd.

As a quick proof-of-concept, try this code under your favourite PHP
interpreter (I've tested it on a 4.0-series platform, and a quick
perusal of the the relevant files in the 4.3.0 source doesn't show any
protection against this):

<?php

  header("Content-type: text/plain");
  $filename = '/etc/passwd'."\0".'.ext';
  $file = fopen($filename,'r');
  $line = fgets($file,1024);
  echo $filename."\r\n";
  echo $line;
  fclose($file);

?>

Output:
/etc/passwd .ext
root:x:0:0:root:/root:/bin/bash

You can see by the output of the echo statement that PHP deals with null
bytes very well within strings, but that fopen stopped reading the
filename at the null.

This looks to be quite difficult to guard against -- the application
level solution would have to involve scanning all strings for null bytes
before passing them to any of a very large number of PHP functions. A
better solution would be to have PHP itself do a libc string length
check before passing arguments to lower-level functions.

Adding just a few lines to ext/standard/file.c should prevent an attack
like this on fopen:

***************
*** 1086,1092 ****
--- 1086,1095 ----
	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|br",
                                &mode, &mode_len, &use_include_path,
&zcontext) == FAILURE) {
                RETURN_FALSE;
        }
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
        if (zcontext) {
                ZEND_FETCH_RESOURCE(context, php_stream_context*,
&zcontext, -1, "stream-context", le_stream_context);
        }

There is almost certainly a better place to check this; I'm not that
familiar with the code. And, of course, there are probably at least a
hundred other points in the code where a patch like this needs to be
applied.

Ian Clelland
<ian@veryfresh.com>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-01-21 08:29 UTC] iliaa@php.net

Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions. 

Thank you for your interest in PHP.

In many cases the files opened by PHP are are not specified via user input. When they are, it is up to the user to be aware of such things and handle them appropriately. In many cases your patch would simply add unnecessary overhead.

[2003-01-21 09:55 UTC] ritze at meinscheissname dot de

Please read carefully. It is defintiv a problem of PHP! If you cannot read a C-code or dont understand the null-byte-problem, please let me know.

[2003-01-21 10:10 UTC] phanto@php.net

what would adding a \0 in a string buy you ?
if you can come up with a *real* exploit we consider reopening this report, but after a short discussion we weren't able find a sample where this exploit would enable you to access a file which you can't access without it (or whatever else you want to achive with that null byte in a string).

and btw yes, we _can_ read c code.

harald

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue May 21 15:01:34 2024 UTC