Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
directory listing with PHP file functions under FreeBSD
Posted by: Reiners
Date: November 21, 2009 07:59AM

hello,

atm I'm creating some hacking challenges for some students on a FreeBSD platform and while I created a path traversal challenge with null byte injection, I noticed a strange behavior on FreeBSD. The following 3 PHP codes will output a garbled directory listing of the current directory:

echo file_get_contents("./");
$a=file("./");print_r($a);
readfile("./");

Tested with:
FreeBSD 7.0 + PHP 5.2.5 + Suhosin-Patch 0.9.6.2
FreeBSD 7.0 + PHP 5.2.6 + Suhosin-Patch 0.9.6.2
FreeBSD 7.2 + PHP 5.2.10

So a NullByte Injection under FreeBSD is much easier to exploit since you dont have to know all files names.

demo.php
<?php

$file = $_GET['file'];
echo file_get_contents("/var/www/html/".$file.".html");

?>
demo.php?file=../%00 // dirlist to see folders and files
demo.php?file=../cgi-bin/%00 // another dirlist
demo.php?file=../cgi-bin/test.php%00 // file disclosure as usual

Is this a known behavior for the FreeBSD file system? I couldn't reproduce this on any other platform and this was new to me, so I thought it could be interesting. if this behavior appears on other platforms as well, please let me know.

Options: ReplyQuote
Re: directory listing with PHP file functions under FreeBSD
Posted by: rvdh
Date: November 21, 2009 10:08AM

Do you run Apache? And under which user is PHP compiled? OpenBSD should disable directory indexing by default, not sure if that is the case with FreeBSD though, but you can change that with Apache.

Options: ReplyQuote
Re: directory listing with PHP file functions under FreeBSD
Posted by: Chuks
Date: November 22, 2009 03:10PM

In FreeBSD its disabled by default so is server signature and PROD.

Options: ReplyQuote
Re: directory listing with PHP file functions under FreeBSD
Posted by: Reiners
Date: November 26, 2009 08:58AM

yes I'm using apache and php running as root on the testsystem.

well I think it has something to do with the BSD file system since it doesnt work on any other platforms even if directory listing is enabled through apache.



Edited 3 time(s). Last edit at 11/26/2009 09:04AM by Reiners.

Options: ReplyQuote
Re: directory listing with PHP file functions under FreeBSD
Posted by: beched
Date: November 27, 2009 10:30AM

And what about chmod? Maybe the point is in it.

Options: ReplyQuote
Re: directory listing with PHP file functions under FreeBSD
Posted by: rvdh
Date: November 27, 2009 11:44AM

>yes I'm using apache and php running as root on the testsystem.

That should be it. It can't (or should) happen when it's run from a jail, freeBSDjail (similar to chroot jail) that is. If it still happens, then it's a great find imho.

Options: ReplyQuote
Re: directory listing with PHP file functions under FreeBSD
Posted by: Chuks
Date: November 27, 2009 03:04PM

Check the php.ini, maybe its php is hardened to block such executions!!! Please Reiners, also check my PM on another issue about the same.

Options: ReplyQuote
Re: directory listing with PHP file functions under FreeBSD
Posted by: beched
Date: November 28, 2009 03:36AM

Yeah! Mind-breaking!

The code

echo file_get_contents("./");

gived me a directory-listing at FreeBSD 6.4-RELEASE-p7 with Apache/1.3.37 and PHP/4.4.9.


But when I chmod'ed it, it stopped working. But nevertheless it's very interesting bug.

Options: ReplyQuote
Re: directory listing with PHP file functions under FreeBSD
Posted by: scipio
Date: November 30, 2009 05:11AM

This is a feature of UFS file system and its offshoots.
Here's a script that could read the directory:
http://scipio-vs-carthago.blogspot.com/2009/04/ufs.html

This directory structure:
http://scipio-vs-carthago.blogspot.com/2009/11/ufs.html

Options: ReplyQuote
Re: directory listing with PHP file functions under FreeBSD
Posted by: rvdh
Date: December 14, 2009 01:40PM

@scipio

That's curious, can you explain this? I mean, it doesn't sound very sensible if that is the case. It's all about privileges, is it because if no privileges are granted/set that it defaults back to indexing directories? If so, Horrible.

Options: ReplyQuote
Re: directory listing with PHP file functions under FreeBSD
Posted by: scipio
Date: December 19, 2009 04:22AM

The directory is a file. When accessing this file, some file systems will generate an error, others do not. UFS not

Options: ReplyQuote
Re: directory listing with PHP file functions under FreeBSD
Posted by: rvdh
Date: December 26, 2009 03:37PM

Interesting, thanks for the reply scipio

Options: ReplyQuote


Sorry, only registered users may post in this forum.