Security Advisory 02/2002

Das e-matters Security Team hat erneut eine Sicherheitslücke in den Versionen 4.2.0 und 4.2.1 von PHP gefunden, die es je nach Prozessorarchitektur erlaubt den Webserver zum Absturz zu bringen oder komplette Kontrolle über ihn zu erlangen.

Advisory 02/2002
PHP remote vulnerability


Release Date: 2002/07/22
Author: Stefan Esser
Application: PHP 4.2.0, 4.2.1
Severity: A vulnerability within the multipart/form-data handler could allow remote compromise of the web server.
Risk: Critical
Last Modified:   2002/07/22

 

Overview

We have discovered a serious vulnerability within the default version of PHP. Depending on the processor architecture it may be possible for a remote attacker to either crash or compromise the web server.

 

Details

PHP 4.2.0 introduced a completely rewritten multipart/form-data POST handler. While I was working on the code in my role as PHP developer i found a bug within the way the mime headers are processed. A malformed POST request can trigger an error condition, that is not correctly handled. Due to this bug it could happen that an uninitialised struct gets appended to the linked list of mime headers. When the lists gets cleaned or destroyed PHP tries to free the pointers that are expected in the struct. Because of the lack of initialisation those pointers contain stuff that was left on the stack by previous function calls.

On the IA32 architecture (aka. x86) it is not possible to control what will end up in the uninitialised struct because of the stack layout. All possible code paths leave illegal addresses within the struct and PHP will crash when it tries to free them.

Unfortunately the situation is absolutely different if you look on a solaris sparc installation. Here it is possible for an attacker to free chunks of memory that are full under his control. This is most probably the case for several more non IA32 architectures.

Please note that exploitability is not only limited to systems that are running malloc()/free() implementations that are known to be vulnerable to control structure overwrites. This is because the internal PHP memory managment implements its own linked list system that can be used to overwrite nearly arbitrary memory addresses.

 

Proof of Concept

e-matters is not going to release the exploit for this vulnerability to the public.

 

Vendor Response

22 July 2002 An updated version of PHP which fixes this vulnerability was released and can be downloaded at:

       http://www.php.net/downloads.php
  
  The vendor announcement is available at:

       http://www.php.net/release_4_2_2.php

 

Recommendation

If you are running PHP 4.2.x you should upgrade as soon as possible, especially if your server runs on a non IA32 CPU. If you cannot upgrade for whatever reason the only way to workaround this, is to disable all kinds of POST requests on your server.