Remote DOS vulnerability in multiple versions of PHP

Recently, multiple versions of PHP burst the remote DOS Vulnerability (official number 69364), the use of this vulnerability to construct a POC link, it is easy to lead to the target host CPU 100% occupancy rate, the Green Alliance Technology Threat Response Center immediately start the emergency mechanism, start emergency response work, summarize the PHP vulnerability points, and developed a series of protection programs.

The software and systems affected by this vulnerability include the following versions of PHP:

? PHP 5.0.0-5.0.5

? PHP 5.1.0-5.1.6

? PHP 5.2.0-5.2.17

? PHP 5.3.0-5.3.29

? PHP 5.4.0-5.4.40

? PHP 5.5.0-5.5.24

? PHP 5.6.0-5.6.8

Features of this vulnerability are:

1. Once successfully exploited, the CPU resources of the attacking host can be rapidly consumed to achieve the DOS purpose;

2. The global deployment of PHP is considerable, providing attackers with a considerable number of targets to attack;

3. PHP is currently only available in version 5.4 and 5.5 patches.

About PHP remote DOS vulnerabilities

April 3, someone on the PHP website to submit PHP remote DOS Vulnerability (PHP multipart/form-data remote DOS Vulnerability), code 69364. The vulnerability involves all versions of PHP and has a large impact, so it quickly raises many concerns after publishing. 14th, a variety of POC has been circulating on the network.

Separating key-value pairs in boundary

PHP is a popular Web server-side programming language, it is powerful, easy to use, using it to write Web applications, can handle large-scale HTTP requests, so many business environments are deployed in PHP. Considering the normative, PHP at the beginning of the design to follow the RFC specification, each Protocol module encapsulation and process processing. PHP is a different approach than other languages and environments that also follow the RFC specification.

Starting with rfc1867, the HTTP protocol began to support "Multipart/form-data" requests to accept multiple data formats, including multiple variables and even file uploads. The multipart/form-data can contain multiple messages, each separated by a message boundary (delimiter), and each message contains a multiline key pair, and the key value pair is separated by a colon, which is designed so that the program can clearly differentiate the data.

　　

But if, for some reason, the colon is missing in the middle of the key value, the PHP function merges the next pair of key values into the previous row, forming the key value pair, "Key 1: Value 1 key 2 value 2". Since PHP's algorithm for key-value merging is not optimized enough, this happens a few times, and if millions count, it becomes a disaster.

In the following example, when the part of a reaches a certain number (hundreds of thousands of rows or millions of rows), because there is no colon separation between the key and the value, the function automatically merges the key value pairs of the next row, so that the data becomes larger and longer, and the function is constantly allocating and releasing memory for the data. The CPU resources of the target host are exhausted at the end of the attack.

This code, when grasping the package, shows the following conditions:

Boundary Message parsing process

PHP in Main/rfc1867.c, there are two functions involved in boundary parsing, including Sapi_api Sapi_post_handler_func and Multipart_buffer_headers functions. A DOS vulnerability occurs in the Main/rfc46675pxultipart_buffer_headers function.

PHP parses the Multipart/form-data HTTP request first, the entry function of the HTTP request body in Sapi_post_handler_func (function in rfc1867.c), Sapi_post_handler_ The Func function first parses the boundary of the request, that is, the boundary of the first definition in the POST request, and within which Multipart_buffer_headers is called, the function first finds boundary ( That is, a quoted boundary), compared to the boundary when defined. If the boundary is found for the first reference, then the input of the request is read line by row to parse the body port header (that is, after parsing the first reference boundary).

Sapi_api Sapi_post_handler_func

　　

Multipart_buffer_headers

　　

function processing logic for problems

The Multipart_buffer_headers function parses the multipart header data in an HTTP request, parsing each row of key-value pairs that are obtained by Get_line. When the parsed line starts with a white-space character, or a line that does not contain ': ', the row is treated as a continuation of the previous row of key-value pairs, stitching the current value into the previous key-value pair, and in the process of stitching, the function takes the following action:

One-time memory allocation

　　

Two memory copies

One time Memory release

　　

When there are multiple rows that do not contain ': ', PHP will perform a large amount of memory allocation release, and the allocated space and copy will be more and more long. When the number of rows is long enough, the copy operation will significantly consume the server's CPU. In the actual test, a header field containing nearly 1 million rows can keep the server's CPU for 100% seconds or 10 seconds. If multiple attack requests are concurrent, it can result in longer resource consumption.

Exploit principle

An attacker could launch an attack by sending a 2M HTTP request containing multiple lines of multipart header data, without authentication or relying on the contents of the PHP program itself. For example, by sending a malformed request, every few seconds, and concurrently with multiple such requests, the target host's CPU resources are exhausted.

PHP Remote DOS Vulnerability detection

Faced with such a simple exploit, and a lower threshold for attack, analysts quickly pass the security-proven detection method to the cloud, the product end, and the service side, and advise users to conduct a comprehensive vulnerability detection of their business environment as soon as possible so that they can get first-hand data, Provide data support and decision-making basis for subsequent development of vulnerability protection scheme and implementation measures.

Cloud detection

On the night of May 16, the Green Alliance technology Customer Self-Service Portal System portal publishes a PHP remote DOS vulnerability detection engine that provides scanning support for PHP multipart/form-data remote DOS Vulnerability (PHP-69364).

　　

Now you can use this self-service system at any time to scan the business environment to see if the vulnerability exists and scan: https://portal.nsfocus.com/vulnerability/list/

Vulnerability confirmation when the message "Your detection target has this vulnerability" appears in the scan result information to confirm the vulnerability in the current business environment, it is recommended that you develop a protection plan as soon as possible to prevent the system from being attacked before it gets hardened.

Product inspection

By deploying the Green Alliance Remote Security Assessment (assessment System), you can quickly scan and access this vulnerability in your business environment, while supporting 1 of security closed-loop management for vulnerabilities, including early warning, detection, analysis management, patching, Audit and other links; 2 Get rich vulnerability and configuration Knowledge Base is a leading security vulnerability database, the current cumulative nearly 30,000, 3 flexible deployment, and obtain the Green Alliance Enterprise Security Center (NSFocus ESPC) for centralized management, can effectively realize the unified vulnerability management of large-scale network. 4 enjoy Gartner's recommended reputation protection.

　　

PHP Remote DOS Vulnerability protection

Know the exploit method, also know the attack detection method, then the protection of the vulnerability will know how to do. If you confirm that the vulnerability exists in your business environment, then you need to refer to the information above to develop and start a hardening solution as soon as possible, from the beginning of the bug patch, to product protection, to the overall protection, and gradually advance.

Vulnerability Hardening

PHP official has been for PHP 5.4 and PHP 5.5 version of the patch, please use these versions of users, as soon as possible to the official website to download and install patches, patches are as follows:

http://php.net/ChangeLog-5.php#5.4.41

http://php.net/ChangeLog-5.php#5.5.25

If you're using another version of PHP, stay tuned for the latest PHP official announcements.

Business Security Hardening

Remote DOS vulnerability in multiple versions of PHP