What is a null byte
The Poison Null Byte aka The Poisoned NUL Byte was originally dubbed as such by Olaf Kirch in a post in the fa.linux.security news group. A null byte in many languages is used to detect the end of a string. As opposed to storing an integer value in the first byte or two of the string stating the total length. A null byte on the other hand would just be placed at the end of the string. By embedding NULL Bytes/characters into applications that do not handle postfix NULL terminators properly, an attacker can exploit a system using techniques such as directory traversal.
The Poison Null Byte exploit takes advantage strings with a known length that can contain null bytes, and whether or not the API being attacked uses null terminated strings. By placing a NULL byte in the string at a certain byte, the string will terminate at that point, nulling the rest of the string, such as a file extension.
There are a number of ways to use the Poison Null Byte exploit, including the following:
- The termination of a filename within a string, for example, a file extension.
- Terminating or commenting an SQL statement when dynamically executing, such as Oracle’s ‘EXECUTE IMMEDIATE’.
Example
$file = $_GET['file'];
require_once("/var/www/$file.php");
While the above script appears to be secured by forcing the “.php” file extension, it could be exploited as follows: http://www.example.com/index.php?file=../../etc/passwd%00. This NULL byte injection would result in the mandatory appended file extension (.php) to be dropped, and the /etc/passwd file to be loaded.
Solution
There are a number of ways to prevent Poison Null Byte injections within PHP. These include escaping the NULL byte with a backslash, however, the most recommended way to do so is to completely remove the byte by using code similar to the following:
$file = str_replace(chr(0), '', $string);
