Vigil@nce: PHP, code execution via proc_open
December 2008 by Vigil@nce
SYNTHESIS
A local attacker can use proc_open() to execute a command with the
privileges of the web server.
Gravity: 1/4
Consequences: user access/rights
Provenance: user account
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: unique source (2/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 09/12/2008
IMPACTED PRODUCTS
– PHP
DESCRIPTION
The proc_open() function of PHP executes a shell command. When the
Safe Mode is enabled, proc_open() can only execute commands
defined in safe_mode_exec_dir.
However, if the attacker can upload a shared library on the
system, he can use the LD_PRELOAD environment variable in order to
force proc_open() to load this library. The malicious code it
contains is then executed as the web server.
A local attacker can therefore use proc_open() to execute a
command with the privileges of the web server.
CHARACTERISTICS
Identifiers: VIGILANCE-VUL-8301