In-depth analysis of PHP Remote DoS Vulnerabilities & amp; #8232; and Protection Solutions

In-depth analysis of PHP Remote DoS Vulnerabilities & #8232; and Protection Solutions
Execution Abstract: on June 14, May 14, a Remote DoS vulnerability in php was detected in China, with the official code 69364. This vulnerability is used to construct a poc initiation link, which can easily cause 100% cpu usage on the target host, involving multiple PHP versions. The aligreennet threat response center immediately launched an emergency response mechanism.
Day and night, vulnerability analysis was started, and the analysis results were sent to the product team. on the 16 th, the product rule upgrade announcement was released, and Rlu technology RSAS products were upgraded one after another, the customer can detect vulnerabilities through online and offline upgrades. At the same time, the online Vulnerability Detection engine is ready. On the 17th, in-depth vulnerability analysis is underway. The NIPS product of lumon technology is ready for upgrade. The customer can obtain the vulnerability protection capability through online and offline upgrades. on the 18 th, we reviewed the key points of this PHP vulnerability, summary from the perspective of PHP vulnerability Protection to provide additional information for you to develop defense solutions.

 

PHP Remote DoS Vulnerability

On June 18, April 3, Someone submitted the PHP remote DoS Vulnerability (PHP Multipart/form-data remote dos Vulnerability) on the PHP official website, code 69364. Because this vulnerability involves all PHP versions, it has a large impact and has caused a lot of attention once released. On October 14, various PoC programs were circulating on the Internet. This vulnerability has the following features:

Once exploited, the CPU resources of the attacked host can be quickly consumed to achieve DoS. PHP has a large number of deployments worldwide, it provides a large number of targets for attackers. Currently, PHP only provides patches for versions 5.4 and 5.5.

Software and systems affected by this vulnerability include the following versions of PHP.

PHP 5.0.0-5.0.5 PHP 5.1.0-5.1.6 PHP 5.2.0-5.2.17 PHP 5.3.0-5.3.29 PHP 5.4.0-5.4.40 PHP 5.5.0-5.5.24 PHP 5.6.0-5.6.8

Green Alliance technology keeps a close eye on PHP security issues all the year round. After obtaining the relevant information, the threat response center of lumon technology immediately launched the emergency response mechanism and started the relevant work immediately. This article will analyze the vulnerability in depth and provide solutions.

PHP Remote DoS Vulnerability Analysis

On the evening of July 15, May 15, 2015, The Threat Response Center of NSR is also analyzing vulnerabilities while obtaining the spread of PHP vulnerabilities. By recreating the vulnerability attack process, it analyzes how it works, this vulnerability can be clearly identified and detected.

Key-value pairs in Boundary are separated

PHP is a popular Web Server programming language. It is powerful and easy to use. It is used to write network applications to handle large-scale Http requests, therefore, PHP is deployed in many business environments. Considering the standardization, PHP complies with the rfc specification at the beginning of its design to encapsulate and process each protocol module. Compared with other languages and environments that comply with rfc specifications, PHP is handled differently.

Starting from rfc1867, http supports "multipart/form-data" requests to accept multiple data formats, including multiple variables and even file uploads. Multipart/form-data can contain multiple packets. Each packet is separated by a boundary (separator), and each packet contains multiple line key-value pairs, which are separated by a colon, this design allows the program to clearly distinguish the data.

 

But for some reason, if the colon is missing in the key value, the PHP function will merge the next key value to the previous line to form such a key-value pair, "Key 1: value 1 key 2 value 2 ". Because PHP's key-value merge algorithm is not optimized enough, there is no such thing happening several times. If there are millions of records, it will become a disaster.

 

In the following example, when Part a reaches a certain number (several 100,000 rows or millions of rows), because the keys and values of each row are not separated by colons, the function automatically combines the key-value pairs of the next row, so that the data grows and grows. The function continuously allocates and releases memory for the data, the CPU resources of the target host are eventually exhausted.

* Note: in PHP, Boundary can be customized, for example, "-- WebKitFormBoundarypE33TmSNWwsMphqz"

The following code is displayed during packet capture:

Boundary packet parsing process

In main/rfc1867.c, PHP involves boundary parsing, including SAPI_API SAPI_POST_HANDLER_FUNC and multipart_buffer_headers functions. DoS vulnerability occurs in the main/rfc46675pxultipart_buffer_headers function.

PHP parses the multipart/form-data http request first. The entry function of the http Request body is in SAPI_POST_HANDLER_FUNC (function in rfc1867.c). The SAPI_POST_HANDLER_FUNC function first parses the boundary of the request, that is, the boundary defined for the first time in the POST request; and The multipart_buffer_headers is called internally, this function first finds boundary (that is, a referenced boundary ), it will be compared with the boundary at the time of definition. If they are equal, the boundary referenced for the first time is found. Next, the request input will be read row by row to parse the body port header (that is, the content after the first reference of boundary ).

SAPI_API SAPI_POST_HANDLER_FUNC

/* Get the boundary * // * start to parse boundary */boundary = strstr (content_type_dup, "boundary"); if (! Boundary) {int content_type_len = strlen (comment); char * Comment = estrndup (comment, content_type_len); comment (comment, content_type_len); boundary = strstr (comment, "boundary "); if (boundary) {boundary = content_type_dup + (boundary-content_type_lcase);} efree (content_type_lcase);} if (! Boundary |! (Boundary = strchr (boundary, '=') {sapi_module.sapi_error (E_WARNING, "Missing boundary in multipart/form-data POST data"); return;} boundary ++; boundary_len = strlen (boundary);/* perform legal verification on bondary */if (boundary [0] = '"') {boundary ++; boundary_end = strchr (boundary, '"'); if (! Boundary_end) {sapi_module.sapi_error (E_WARNING, "Invalid boundary in multipart/form-data POST data"); return ;}} else {/* search for the end of the boundary */boundary_end = strpbrk (boundary, ",;");} if (boundary_end) {boundary_end [0] = '\ 0'; boundary_len = boundary_end-boundary;}/* Initialize the buffer */if (! (Mbuff = multipart_buffer_new (boundary, boundary_len TSRMLS_CC) {sapi_module.sapi_error (E_WARNING, "Unable to initialize the input buffer"); return;} while (! Multipart_buffer_eof (mbuff TSRMLS_CC) {char buff [FILLUNIT]; char * cd = NULL, * param = NULL, * filename = NULL, * tmp = NULL; size_t blen = 0, wlen = 0; off_t offset; zend_llist_clean (& header);/* vulnerability function */if (! Multipart_buffer_headers (mbuff, & header TSRMLS_CC) {goto fileupload_done ;}

Multipart_buffer_headers

/* Parse headers */static int multipart_buffer_headers (multipart_buffer * self, zend_llist * header TSRMLS_DC) {char * line; mime_header_entry prev_entry = {0}, entry; int prev_len, cur_len; /* didn't find boundary, abort */if (! Find_boundary (self, self-> boundary TSRMLS_CC) {return 0;}/* get lines of text, or CRLF_CRLF * // * parse by line */while (line = get_line (self TSRMLS_CC) & line [0]! = '\ 0') {/* add header to table */char * key = line; char * value = NULL; if (php_rfc1867_encoding_translation (TSRMLS_C )) {self-> input_encoding = zend_multibyte_encoding_detector (line, strlen (line), self-> detect_order, self-> detect_order_size TSRMLS_CC );} /* space in the beginning means same header * // * if the beginning of the row is not a space, try to find ':' to check whether it is a valid key-Value Pair */if (! Isspace (line [0]) {value = strchr (line, ':');}/* If ':' is found, this row contains a valid key-value pair, parse it */if (value) {* value = 0; do {value ++;} while (isspace (* value); entry. value = estrdup (value); entry. key = estrdup (key);/* If ':' is not included and there is a valid key-value pair before the row, this row is the value of the previous key-Value Pair */} else if (zend_llist_count (header) {/* If no': 'on the line, add to previous line */prev_len = strlen (prev_entry.value); cur_len = strlen (line);/* merge values */entry. value = emalloc (prev_len + cur_len + 1); memcpy (entry. value, prev_entry.value, prev_len); memcpy (entry. value + prev_len, line, cur_len); entry. value [cur_len + prev_len] = '\ 0'; entry. key = estrdup (prev_entry.key); zend_llist_remove_tail (header);} else {continue;} zend_llist_add_element (header, & entry); prev_entry = entry;} return 1 ;}

 

Problematic function processing logic

When the multipart_buffer_headers function parses the multipart header data in an HTTP request, each time it parses a key-Value Pair obtained by get_line. When the parsed line starts with a blank character or a row does not contain ':', the row is treated as a continuation of the previous line of key-value pairs, concatenates the current value into the previous key-value pair. During the concatenation, this function performs the following operations:

One memory allocation

Entry. value = emalloc (prev_len + cur_len + 1 );

Two memory copies

Memcpy (entry. value, prev_entry.value, prev_len); memcpy (entry. value + prev_len, line, cur_len );

One memory release

Zend_llist_remove_tail (header );

When multiple rows do not contain ':', PHP will allocate and release a large amount of memory, and the allocated space and copy length will increase. When the number of rows is large enough, the copy operation will significantly consume the server's CPU. In actual tests, the header fields containing nearly 1 million rows can keep the server's CPU at 100% seconds or dozens of seconds. If multiple attack requests are concurrently sent, the resource usage may take longer.

Vulnerability exploitation Principle

Attackers can initiate an attack by sending an HTTP request containing multi-line multipart header data about 2 MB without authentication or relying on the content of the PHP program. For example, by sending malformed requests every several seconds and concurrent requests, the CPU resources of the target host will be exhausted.

PHP Remote DoS Vulnerability Detection

In the face of such simple vulnerability exploitation and low attack thresholds, analysts quickly pass the security verification detection methods to the cloud, product, and server, we recommend that you perform a comprehensive vulnerability detection on your business environment as soon as possible, so that you can obtain first-hand data as soon as possible and provide data support and Decision-making basis for subsequent vulnerability Protection Solutions and implementation measures.

Cloud Detection

On the evening of May 16, Green Alliance technology customer self-service Portal system released PHP Remote DoS Vulnerability Detection engine, for PHP Multipart/form-data Remote DoS Vulnerability (PHP-69364) provides scanning support.

Now you can use this self-help system to scan your business environment at any time to see if this vulnerability exists, scan please CLICK: https://portal.nsfocus.com/vulnerability/list/

Vulnerability confirmation when "your detection target has this vulnerability" is displayed in the scan result, you can confirm that this vulnerability exists in the current business environment. We recommend that you develop a protection plan as soon as possible, to prevent the system from being attacked before being reinforced.

Product Inspection

By deploying the Remote Security Assessment System, you can quickly scan for and obtain the vulnerability in your business environment. At the same time, you can implement closed-loop Security Management of vulnerabilities, this includes early warning, detection, analysis and management, patching, and auditing. 2. You can obtain a wide range of vulnerability and configuration knowledge bases, which are the leading security vulnerability libraries in China, there are nearly 30 thousand vulnerabilities in total. 3. Flexible Deployment and centralized management of nsfocus espc can effectively achieve unified Vulnerability Management for large networks. 4. Enjoy the credibility guarantee recommended by Gartner.

 

For this Remote DoS vulnerability in PHP, The aligreennet vulnerability scan series is ready. Please upgrade to the following versions as soon as possible to provide you with first-hand data support for custom protection measures.

PHP Remote DoS vulnerability Protection

If you know how to exploit a vulnerability and how to detect it, then the vulnerability Protection will know how to do it. If you confirm that this vulnerability exists in your business environment, you need to refer to the above information to develop and launch the reinforcement solution as soon as possible. The reinforcement starts from vulnerability patches, to product protection, to the overall protection, and gradually promote.

Vulnerability reinforcement

PHP has provided patches for PHP 5.4 and PHP 5.5. Users of these versions can download and install the patches on the official website as soon as possible. The patches are as follows:

Http://php.net/ChangeLog-5.php#5.4.41

Http://php.net/ChangeLog-5.php#5.5.25

If you are using other PHP versions, please stay tuned to the latest official announcement of PHP.

Product protection

It is not enough to install vulnerability patches. Security products are essential to improve the overall security level and respond to future attacks, we recommend that you place your Web system in the DMZ region and provide comprehensive protection for multiple products. In the following deployment environment, the Network Intrusion Prevention System (NIPS) is used as an example to deploy NIPS on the business System and provide PHP Remote DoS vulnerability Protection.

The upgrade information of related products is as follows:

Upgrade the product rules as soon as possible. The rule upgrade package is provided in the software upgrade announcement. The rule can be upgraded online on the product interface. If your business system cannot upgrade the rule set, you can find the corresponding product on the software upgrade page, download the upgrade package, and perform the upgrade offline.

In some large enterprises or organizations, PHP Remote DoS vulnerability protection may not be implemented quickly because: 1. The availability of the business system needs to be considered; 2. Overall implementation scheme formulation should be considered; 3. Secondary Damage to the business environment should be minimized by reinforcement actions. This requires the collaboration of enterprises, vulnerability-related vendors, and security vendors to form a fast, secure, and effective action plan to prevent business systems from being attacked before being reinforced. In this emergency response process, the green alliance technology service personnel suggested to the customer that the Action Plan should at least include the following steps:

1. First, you should first obtain the vulnerability notice and related information to understand the scope and depth of the vulnerability.

2. In addition, the announcement and interpretation should be combined with the actual IT business system status, determine the scope and extent of the impact (including the extent to which it affects your business and its customers). In this judgment process, data must be used as the factual basis for accurate solution formulation, we recommend that you use a secure and reliable vulnerability scanning tool to upgrade the latest plug-in or rule repository, scan the entire network for security, and obtain first-hand data as the basis for decision-making;

3. Once again, IT personnel should comprehensively consider business stability, hazard level, scope and importance, and formulate a rectification schedule, rectification and reinforcement work is performed on local networks, host devices, or service system devices in order of weight from high to low (we recommend that you invite vulnerability-related vendors and security vendors to participate ). Then, after the reinforcement stage or the whole process is completed, you need to perform a complete scan again and manually verify the rectification and reinforcement results. If the technical investment permits, we recommend that you perform another log analysis on all aspects, observe whether any successful attack during rectification and reinforcement causes other losses to the system;

3.1. At this stage, the security vendor must provide professional technical assistance, such as vulnerability reinforcement consultation and verification of successful reinforcement. At the same time, the security vendor must know which devices have been released or are about to release protection rules, after the upgrade, you can perform protection;

3.2 If no security device has been used, temporary protection measures should be taken, including solutions from vulnerability-related vendors and security vendors, to obtain time for overall reinforcement, avoid the window time being attacked and lost before successful reinforcement and rectification, which is not uncommon among many 0-day events;

3.3. In addition, vulnerability-related vendors and security vendors need to work together to communicate with each other on the vulnerability principles and utilization process for a deeper explanation, developers of vulnerability-related vendors can gain an in-depth understanding of the vulnerability and conduct code-level rectification based on their own situations;

4. Finally, make a summary and record-filing after the overall response is completed.

Threat intelligence

From this Remote DoS vulnerability in PHP, we can see that no matter how the vulnerability works, no matter how the vulnerability protection solution is implemented, the key is to learn the vulnerability information and related intelligence as quickly as possible, to enable the emergency response mechanism as quickly as possible. This is one of the most important methods to solve traditional security or APT attacks. The acquisition and response of threat intelligence reflects the degree of building defense capabilities, the threat intelligence service system includes at least threat monitoring and response, data analysis and sorting, business intelligence and delivery, risk assessment and consulting, security hosting and application, and other aspects, through research, product, service, operation, and marketing, aligreennet uses a three-dimensional emergency response system, such as research, cloud, product, and service, provide threat intelligence to enterprises and organizations in a timely manner and continuously provide follow-up services to ensure smooth operation of customers' business.