It has been discovered that COM objects can be instantiated and accessed from PHP on Windows, even though safe_mode and disable_function have been set. This will allow a limited local user (one who is only able to access / run PHP scripts, for example) to execute arbitrary code on a vulnerable system. Due to the way that PHP instantiates the COM objects, it allows the bypassing of any kill-bit that has been set.

Full exploit code has been released publicly.

Description:

An exploit has been released to a number of public sources that allows for the bypassing of safe_mode and disable_function in PHP 5.x when installed on Windows. While preventing users who have permissions to install and run PHP scripts from accessing the underlying system might seem like a desirable outcome (especially for multi-user systems), this particular vulnerability is a concern as it allows for the bypassing of kill-bits that have been set on the system.

Mitigation:

Short of disabling PHP / removing it from the system, consider implementing extremely limited access controls, though this might cause problems with PHP scripts. Administrators of PHP on Windows systems should be aware of the risks to their systems from account users.

Updates:

Not Yet Available

Source:

http://shinnai.altervista.org

Exploits:

http://milw0rm.com/exploits/4553

Not Yet Identified