PHP 5 infoleak vulnerability leading to potential SSL key disclosure
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| php5 (Ubuntu) |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
| Lucid |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
| Precise |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
| Saucy |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
| Trusty |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
| Utopic |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Bug Description
https:/
Description:
------------
Hey,
I recently discovered an easy to exploit arbitrary information leak
vulnerability in PHP. The information leak can be exploited by setting
PHP_SELF, PHP_AUTH_TYPE, PHP_AUTH_USER or PHP_AUTH_PW to non-string
variables before calling phpinfo().
When you look at the code from /ext/standard/
the code simply trusts that the returned ZVALs are of type STRING. If
there are however integers the code will interpret the integer as a in
memory pointer and print out the binary string at that position.
if (zend_hash_
sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
}
if (zend_hash_
sizeof(
}
if (zend_hash_
sizeof(
}
if (zend_hash_
sizeof(
}
I have attached a patch to fix this problem and the demo exploit used to
create the following output.
(As you can see there are a bunch of 0x20 in the output that should
actually be 0x00. I believe this is due to a bug in php_write() that
seems to write a space in case of an empty string??? But I did not
actually research this.)
$ vmmap $$ | grep _TEXT | grep libSystem
__TEXT 00007fff8da9f00
r-x/r-x SM=COW /usr/lib/
$ php phpinfo_
Heapdump
---------
00000000: cf fa ed fe 07 00 20 01 03 00 20 20 06 00 20 20 ...... ... ..
00000010: 2a 00 20 20 c0 0c 00 20 b5 00 20 80 00 20 20 20 *. ... .. ..
00000020: 19 00 20 20 d8 01 00 20 5f 5f 54 45 58 54 00 20 .. ... __TEXT.
00000030: 20 20 20 20 20 20 20 20 20 90 de 84 ff 7f 00 20 .....
00000040: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00000050: 20 20 20 20 20 20 20 20 07 00 20 20 05 00 20 20 .. ..
00000060: 05 00 20 20 20 20 20 20 5f 5f 74 65 78 74 00 20 .. __text.
00000070: 20 20 20 20 20 20 20 20 5f 5f 54 45 58 54 00 20 __TEXT.
00000080: 20 20 20 20 20 20 20 20 1a aa de 84 ff 7f 00 20 ......
00000090: a4 01 00 20 20 20 20 20 1a 1a 00 20 20 20 20 20 ... ...
000000a0: 20 20 20 20 20 20 20 20 20 04 00 80 00 20 20 20 ....
000000b0: 20 20 20 20 20 20 20 20 5f 5f 73 74 75 62 73 00 __stubs.
000000c0: 20 20 20 20 20 20 20 20 5f 5f 54 45 58 54 00 20 __TEXT.
000000d0: 20 20 20 20 20 20 20 20 be ab de 84 ff 7f 00 20 ......
000000e0: 56 01 00 20 20 20 20 20 be 1b 00 20 01 00 20 20 V.. ... ..
000000f0: 20 20 20 20 20 20 20 20 08 04 00 80 00 20 20 20 .....
00000100: 06 00 20 20 20 20 20 20 5f 5f 73 74 75 62 5f 68 .. __stub_h
00000110: 65 6c 70 65 72 00 20 20 5f 5f 54 45 58 54 00 20 elper. __TEXT.
00000120: 20 20 20 20 20 20 20 20 14 ad de 84 ff 7f 00 20 ......
00000130: 4a 02 00 20 20 20 20 20 14 1d 00 20 02 00 20 20 J.. ... ..
00000140: 20 20 20 20 20 20 20 20 20 04 00 80 00 20 20 20 ....
00000150: 20 20 20 20 20 20 20 20 5f 5f 63 6f 6e 73 74 00 __const.
00000160: 20 20 20 20 20 20 20 20 5f 5f 54 45 58 54 00 20 __TEXT.
00000170: 20 20 20 20 20 20 20 20 60 af de 84 ff 7f 00 20 `.....
00000180: 40 00 20 20 20 20 20 20 60 1f 00 20 04 00 20 20 @. `.. ..
00000190: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
000001a0: 20 20 20 20 20 20 20 20 5f 5f 75 6e 77 69 6e 64 __unwind
000001b0: 5f 69 6e 66 6f 00 20 20 5f 5f 54 45 58 54 00 20 _info. __TEXT.
000001c0: 20 20 20 20 20 20 20 20 a0 af de 84 ff 7f 00 20 ......
000001d0: 58 00 20 20 20 20 20 20 a0 1f 00 20 20 20 20 20 X. ...
000001e0: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
000001f0: 20 20 20 20 20 20 20 20 19 00 20 20 28 02 00 20 .. (..
Because this is only exploitable in case these variables are overwritten
as integers, which is less likely in a remote context this has to be
mostly considered a local information leak only. However if you are
running as mod_php and there is mod_ssl this could be used to steal the
private SSL key from memory (if you can inject PHP code).
Regards,
Stefan Esser
| Loganaden Velvindron (u-logan) wrote | #1 |
| information type: | Private Security → Public Security |
| Changed in php5 (Ubuntu Lucid): | |
| assignee: | nobody → Marc Deslauriers (mdeslaur) |
| Changed in php5 (Ubuntu Precise): | |
| assignee: | nobody → Marc Deslauriers (mdeslaur) |
| Changed in php5 (Ubuntu Saucy): | |
| assignee: | nobody → Marc Deslauriers (mdeslaur) |
| Changed in php5 (Ubuntu Trusty): | |
| assignee: | nobody → Marc Deslauriers (mdeslaur) |
| Changed in php5 (Ubuntu Utopic): | |
| assignee: | nobody → Marc Deslauriers (mdeslaur) |
| Ubuntu Foundations Team Bug Bot (crichton) wrote | #2 |
| tags: | added: patch |
| Launchpad Janitor (janitor) wrote | #3 |
| Changed in php5 (Ubuntu Precise): | |
| status: | New → Fix Released |
| Launchpad Janitor (janitor) wrote | #4 |
| Changed in php5 (Ubuntu Trusty): | |
| status: | New → Fix Released |
| Launchpad Janitor (janitor) wrote | #5 |
| Changed in php5 (Ubuntu Saucy): | |
| status: | New → Fix Released |
| Launchpad Janitor (janitor) wrote | #6 |
| Changed in php5 (Ubuntu Lucid): | |
| status: | New → Fix Released |
| Launchpad Janitor (janitor) wrote | #7 |
| Changed in php5 (Ubuntu Utopic): | |
| status: | New → Fix Released |
The attachment "patch adapted from upstream fix" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]