hello,

atm I'm creating some hacking challenges for some students on a FreeBSD platform and while I created a path traversal challenge with null byte injection, I noticed a strange behavior on FreeBSD. The following 3 PHP codes will output a garbled directory listing of the current directory:

echo file_get_contents("./");

$a=file("./");print_r($a);

readfile("./");

Tested with:
FreeBSD 7.0 + PHP 5.2.5 + Suhosin-Patch 0.9.6.2
FreeBSD 7.0 + PHP 5.2.6 + Suhosin-Patch 0.9.6.2
FreeBSD 7.2 + PHP 5.2.10

So a NullByte Injection under FreeBSD is much easier to exploit since you dont have to know all files names.

demo.php

<?php

$file = $_GET['file'];
echo file_get_contents("/var/www/html/".$file.".html");

?>

demo.php?file=../%00 // dirlist to see folders and files
demo.php?file=../cgi-bin/%00 // another dirlist
demo.php?file=../cgi-bin/test.php%00 // file disclosure as usual

Is this a known behavior for the FreeBSD file system? I couldn't reproduce this on any other platform and this was new to me, so I thought it could be interesting. if this behavior appears on other platforms as well, please let me know.

Do you run Apache? And under which user is PHP compiled? OpenBSD should disable directory indexing by default, not sure if that is the case with FreeBSD though, but you can change that with Apache.

In FreeBSD its disabled by default so is server signature and PROD.

yes I'm using apache and php running as root on the testsystem.

well I think it has something to do with the BSD file system since it doesnt work on any other platforms even if directory listing is enabled through apache.



Edited 3 time(s). Last edit at 11/26/2009 09:04AM by Reiners.

And what about chmod? Maybe the point is in it.

>yes I'm using apache and php running as root on the testsystem.

That should be it. It can't (or should) happen when it's run from a jail, freeBSDjail (similar to chroot jail) that is. If it still happens, then it's a great find imho.

Check the php.ini, maybe its php is hardened to block such executions!!! Please Reiners, also check my PM on another issue about the same.

Yeah! Mind-breaking!

The code

echo file_get_contents("./");

gived me a directory-listing at FreeBSD 6.4-RELEASE-p7 with Apache/1.3.37 and PHP/4.4.9.


But when I chmod'ed it, it stopped working. But nevertheless it's very interesting bug.

This is a feature of UFS file system and its offshoots.
Here's a script that could read the directory:
http://scipio-vs-carthago.blogspot.com/2009/04/ufs.html

This directory structure:
http://scipio-vs-carthago.blogspot.com/2009/11/ufs.html

@scipio

That's curious, can you explain this? I mean, it doesn't sound very sensible if that is the case. It's all about privileges, is it because if no privileges are granted/set that it defaults back to indexing directories? If so, Horrible.

The directory is a file. When accessing this file, some file systems will generate an error, others do not. UFS not

Interesting, thanks for the reply scipio