PHP Remote DOS Vulnerability
PHP remote DOS Vulnerability in-depth analysis fast three red and black Play (Penguin: 212303635) and Protection Program source Building (aqiulian.com)
April 3, someone on the PHP website to submit PHP remote DOS Vulnerability (PHP multipart/form-data remote DOS Vulnerability), code 69364. Due to the vulnerability involved in all versions of PHP, it has a large impact, once released quickly aroused many concerns. 14th, a variety of POC has been circulating on the network. This vulnerability has the following characteristics:
Once used successfully, can be in the rapid consumption of the host CPU resources, so as to achieve the purpose of DOS;
PHP in the global deployment is quite large, for the * * * * To provide a considerable number of targets can be * * *;
PHP official currently only gives 5.4 and 5.5 patches affected by the vulnerability of the software and systems including PHP version of the following.
PHP 5.0.0–5.0.5
PHP 5.1.0–5.1.6
PHP 5.2.0–5.2.17
PHP 5.3.0–5.3.29
PHP 5.4.0–5.4.40
PHP 5.5.0–5.5.24
PHP 5.6.0–5.6.8
Green Alliance Technology has been closely concerned about the security of PHP all year round. The Green Alliance Science and Technology Threat Response center After the information is learned, the emergency mechanism is launched, and the related work is started immediately. This article will delve into the vulnerability and give a workaround.
PHP Remote DOS Vulnerability analysis
On the night of May 15, 2015, the Green Alliance Technology Threat Response Center in the process of obtaining PHP vulnerability propagation, but also in the analysis of the vulnerability, through the procedure to reproduce the vulnerability, analysis of its working principle, to clearly identify and detect the vulnerability method.
Separating key-value pairs in boundary
PHP is a popular Web server-side programming language, it is powerful, easy to use, using it to write Web applications, can handle large-scale HTTP requests, so many business environments are deployed in PHP. Considering the normative, PHP at the beginning of the design to follow the RFC specification, each Protocol module encapsulation and process processing. PHP is a different approach than other languages and environments that also follow the RFC specification.
Starting with rfc1867, the HTTP protocol began to support "Multipart/form-data" requests to accept multiple data formats, including multiple variables and even file uploads. The multipart/form-data can contain multiple messages, each separated by a message boundary (delimiter), and each message contains a multiline key pair, and the key value pair is separated by a colon, which is designed so that the program can clearly differentiate the data.
But if, for some reason, the colon is missing in the middle of the key value, the PHP function merges the next pair of key values into the previous row, forming the key value pair, "Key 1: Value 1 key 2 value 2". Since PHP's algorithm for key-value merging is not optimized enough, this happens a few times, and if millions count, it becomes a disaster.
In the following example, when the part of a reaches a certain number (hundreds of thousands of rows or millions of rows), because there is no colon separation between the key and the value, the function automatically merges the key value pairs of the next row, so that the data becomes larger and longer, and the function executes the allocation and release of memory for the data, and is eventually The target host's CPU resources are exhausted.
* Note: PHP, boundary can be customized, such as "-–WEBKITFORMBOUNDARYPE33TMSNWWSMPHQZ"
This kind of code, when grasping the package is shown as follows
Boundary Message parsing process
PHP in Main/rfc1867.c, there are two functions involved in boundary parsing, including Sapi_api Sapi_post_handler_func and Multipart_buffer_headers functions. A DOS vulnerability occurs in the Main/rfc46675pxultipart_buffer_headers function.
PHP parses the Multipart/form-data HTTP request first, the entry function of the HTTP request body in Sapi_post_handler_func (function in rfc1867.c), Sapi_post_handler_ The Func function first parses the boundary of the request, which is the boundary of the first definition in the POST request, and calls multipart_buffer_headers within it. The function first finds boundary (that is, the boundary of a reference) and compares it to the boundary defined. If the boundary is found for the first reference, then the input of the request is read line by row to parse the body port header (that is, after parsing the first reference boundary).
Sapi_api Sapi_post_handler_func
Multipart_buffer_headers
function processing logic for problems
The Multipart_buffer_headers function parses the multipart header data in an HTTP request, parsing each row of key-value pairs that are obtained by Get_line. When the parsed line starts with a white-space character, or a line that does not contain ': ', the row is treated as a continuation of the previous row of key-value pairs, stitching the current value into the previous key-value pair, and in the process of stitching, the function takes the following action:
One-time memory allocation
Entry.value = Emalloc (Prev_len + Cur_len + 1);
Two memory copies
memcpy (Entry.value, Prev_entry.value, Prev_len);
memcpy (Entry.value + Prev_len, line, Cur_len);
One time Memory release
Zend_llist_remove_tail (header);
When there are multiple rows that do not contain ': ', PHP will perform a large amount of memory allocation release, and the allocated space and copy will be more and more long. When the number of rows is long enough, the copy operation will significantly consume the server's CPU. In the actual test, a header field containing nearly 1 million rows can keep the server's CPU for 100% seconds or 10 seconds. If multiple requests are concurrent, it can result in longer resource consumption.
Exploit principle
Can be initiated by sending a 2M HTTP request containing multiple lines of multipart header data, without authentication, and without relying on the contents of the PHP program itself. For example, by sending a malformed request, every few seconds, concurrently with multiple such requests, the target host's CPU resources are exhausted
PHP Remote DOS Vulnerability detection
In the face of such a simple exploit, as well as the lower threshold, the analyst quickly pass the security verification of the detection method to the cloud, the product end and the service side, and recommend users to their business environment as soon as possible a comprehensive vulnerability detection, so as to get firsthand data, Provide data support and decision-making basis for subsequent development of vulnerability protection scheme and implementation measures.
Cloud detection
On the night of May 16, the Green Alliance technology Customer Self-Service Portal System portal publishes a PHP remote DOS vulnerability detection engine that provides scanning support for PHP multipart/form-data remote DOS Vulnerability (PHP-69364).
Now you can use this self-service system at any time to scan the business environment to see if the vulnerability exists and scan: https://portal.nsfocus.com/vulnerability/list/
Vulnerability Confirmation when the message "Your detection target has this vulnerability" appears in the scan result information to confirm that the vulnerability exists in the current business environment, it is recommended that you develop a protection plan as soon as possible to prevent the system from being subjected to * * * before gaining reinforcement.
Product inspection
By deploying the Green Alliance Remote Security Assessment (assessment System), you can quickly scan and access this vulnerability in your business environment, while supporting 1 of security closed-loop management for vulnerabilities, including early warning, detection, analysis management, patching, Audit and other links; 2 Get rich vulnerability and configuration Knowledge Base is a leading security vulnerability database, the current cumulative nearly 30,000, 3 flexible deployment, and obtain the Green Alliance Enterprise Security Center (NSFocus ESPC) for centralized management, can effectively realize the unified vulnerability management of large-scale network. 4 enjoy Gartner's recommended reputation protection.
For this PHP remote DOS vulnerability, the Green Alliance Technology vulnerability scanning products are ready, users please upgrade to the following version as soon as possible, in order to customize your own protection measures to provide first-hand data support.
PHP Remote DOS Vulnerability protection
Know the exploit method, also know the * * * detection method, then the protection of the loopholes will know how to do. If you confirm that the vulnerability exists in your business environment, then you need to refer to the information above to develop and start a hardening solution as soon as possible, from the beginning of the bug patch, to product protection, to the overall protection, and gradually advance.
Vulnerability Hardening PHP official has been for PHP 5.4 and PHP 5.5 version of the patch, please use these versions of users, as soon as possible to the official website to download and install patches, patches are as follows:
http://php.net/ChangeLog-5.php#5.4.41
http://php.net/ChangeLog-5.php#5.5.25
If you're using another version of PHP, stay tuned for the latest PHP official announcements.
Product protection
Just install the bug patch is not enough, the overall security level of ascension and to deal with the future of * * *, security products is an essential link, put the web system into the DMZ area and the overall protection of multiple products, is our recommended practice. In the following deployment environment, take the Green Alliance network * * * * * * * * * SYSTEM (Intrusion Prevention system, abbreviated as NIPS) as an example, to the business system deployment nips, can provide PHP remote DOS vulnerability protection.
Currently the relevant product upgrade information is as follows:
Please update the product rules as soon as possible for all users who use the Green Union product. The Green Alliance technology has already provided the rules upgrade package in the software upgrade announcement, the rules can be carried out through the online upgrade of the product interface. If your business system is temporarily unable to upgrade the rule pack, you can find the corresponding product in the software upgrade page, download the upgrade package, and upgrade offline. For related information, please visit:
Safety Product Description: http://www.nsfocus.com.cn/1_solution/1_2_1.html
Product Upgrade Announcement: http://update.nsfocus.com/
Business Security Hardening
In some large enterprises or organizations, the protection of PHP Remote DOS Vulnerability may not be implemented quickly, because: 1 need to consider the availability of business systems, 2 need to consider the overall implementation of the plan, 3 need to minimize the consolidation action on the business environment two damage. This requires the enterprise itself, vulnerability-related vendors, security vendors to work together to form a fast, safe and effective action plan, to avoid the business system before the security hardening suffered by * * *. In this emergency response process, the Green Alliance Technology Service staff to the customer suggested action plan should and at least include the following links:
1, first, should be the first time to obtain the vulnerability notice and related information, understand the scope and depth of the impact of the vulnerability.
2, furthermore, the need to communicate with their own actual IT business system conditions, a comprehensive judgment of the scope and extent of the impact (this includes the extent of their own business and the impact on their customers), the process of judgment, the need for data as an accurate solution to the factual basis, it is recommended that users use security and reliable vulnerability scanning tools, Upgrade the latest release of the plug-in or rule library, the whole network of security scanning, get first-hand data for decision-making basis;
3, again, it personnel need to from the business stability, the degree of harm and the scope and the importance of a number of dimensions of the comprehensive consideration, the formulation of rectification schedule, the weight from high to low in turn to the local network and host equipment or a business system equipment to carry out rectification and reinforcement work (recommended to invite loopholes related manufacturers and security vendors to participate) Then, after the reinforcement phase or the overall completion, it is necessary to perform a full scan and manual verification of rectification and reinforcement results, under the conditions of technical input allows you to re-analyze all aspects of the log, to observe the rectification and reinforcement period has not succeeded to the system caused other losses;
3.1, this stage requires the security vendors to provide professional technical assistance, such as vulnerability reinforcement consulting, verification of the success of the reinforcement, but also need to know what security vendors have issued or will release the protection rules, upgrade can be protected;
3.2, if you have not adopted any of the security equipment, you need to take temporary protection measures, including the use of loopholes related manufacturers and security vendors of the relevant programs for the overall reinforcement to buy time, to avoid the failure of the improvement of the window time before the success of the windows and suffered losses, Such a situation is not uncommon in quite a few 0day events;
3.3, in addition, the need for loopholes related manufacturers and security vendors to work together to communicate the vulnerability principle and the use of the process, to carry out a deeper interpretation, to promote the vulnerability of the developer of the relevant vendors to understand the vulnerability and in accordance with their own situation of the code level of rectification;
4, finally, after the overall response work is completed, the summary and record records.
PHP remote DOS Vulnerability in-depth analysis fast three red black play and Protection program source Code Building