View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0005003mantisbtsecuritypublic2004-12-17 09:262005-04-18 10:33
ReporterThox Assigned Tothraxisp  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionno change required 
Summary0005003: unserialize() can be unsafe to use in PHP
Description

See sections 6 and 7 of the attached document. Also available from the following URL: http://www.hardened-php.net/advisories/012004.txt

"A skilled attacker can exploit this to create an universal string that will pass execution to an arbitrary memory address when it is passed to unserialize(). For AMD64 systems it was even possible to developed a string that directly passes execution to shellcode contained in the string itself."

TagsNo tags attached.
Attached Files
012004.txt (5,951 bytes)    
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-



     Advisory: Multiple vulnerabilities within PHP 4/5
 Release Date: 2004/12/15
Last Modified: 2004/12/15
       Author: Stefan Esser [sesser@php.net]

  Application: PHP4 <= 4.3.9
               PHP5 <= 5.0.2
     Severity: Several vulnerabilities within PHP allow
               local and remote execution of arbitrary code
         Risk: Critical
Vendor Status: Vendor has released bugfixed versions.
   References: http://www.hardened-php.net/advisories/012004.txt


Overview:

   PHP is a widely-used general-purpose scripting language that is
   especially suited for Web development and can be embedded into HTML.

   During the development of Hardened-PHP which adds security hardening
   features to the PHP codebase, several vulnerabilities within PHP
   were discovered that reach from bufferoverflows, over information
   leak vulnerabilities and path truncation vulnerabilities to
   safe_mode restriction bypass vulnerabilities.


Details:

   [01 - pack() - integer overflow leading to heap bufferoverflow ]

   Insufficient validation of the parameters passed to pack() can
   lead to a heap overflow which can be used to execute arbitrary
   code from within a PHP script. This enables an attacker to
   bypass safe_mode restrictions and execute arbitrary code with
   the permissions of the webserver. Due to the nature of this
   function it is unlikely that a script accidently exposes it to
   remote attackers.

   [02 - unpack() - integer overflow leading to heap info leak ]

   Insufficient validation of the parameters passed to unpack() can
   lead to a heap information leak which can be used to retrieve
   secret data from the apache process. Additionally a skilled
   local attacker could use this vulnerability in combination with
   01 to bypass heap canary protection systems. Similiar to 01 this
   function is usually not used on user supplied data within
   webapplications.

   [03 - safe_mode_exec_dir bypass in multithreaded PHP ]

   When safe_mode is activated within PHP, it is only allowed to
   execute commands within the configured safe_mode_exec_dir.
   Unfourtunately PHP does prepend a "cd [currentdir] ;" to any
   executed command when a PHP is running on a multithreaded unix
   webserver (f.e. some installations of Apache2). Because the name
   of the current directory is prepended directly a local attacker
   may bypass safe_mode_exec_dir restrictions by injecting shell-
   commands into the current directory name.

   [04 - safe_mode bypass through path truncation ]

   The safe_mode checks silently truncated the file path at MAXPATHLEN
   bytes before passing it to realpath(). In combination with certain
   malfunctional implementations of realpath() f.e. within glibc this
   allows crafting a filepath that pass the safe_mode check although
   it points to a file that should fail the safe_mode check.

   [05 - path truncation in realpath() ]

   PHP uses realpath() within several places to get the real path
   of files. Unfourtunately some implementations of realpath() silently
   truncate overlong filenames (f.e. OpenBSD, and older NetBSD/FreeBSD)
   This can lead to arbitrary file include vulnerabilities if something
   like "include "modules/$userinput/config.inc.php"; is used on such
   systems.

   [06 - unserialize() - wrong handling of negative references ]

   The variable unserializer could be fooled with negative references
   to add false zvalues to hashtables. When those hashtables get
   destroyed this can lead to efree()s of arbitrary memory addresses
   which can result in arbitrary code execution. (Unless Hardened-PHP's
   memory manager canaries are activated)

   [07 - unserialize() - wrong handling of references to freed data ]

   Additionally to bug 06 the previous version of the variable
   unserializer allowed setting references to already freed entries in
   the variable hash. A skilled attacker can exploit this to create
   an universal string that will pass execution to an arbitrary
   memory address when it is passed to unserialize(). For AMD64 systems
   it was even possible to developed a string that directly passes 
   execution to shellcode contained in the string itself.

   It is necessary to understand that these strings can exploit a
   bunch of popular PHP applications remotely because they pass f.e.
   cookie content to unserialize().

   Examples of vulnerable scripts:

      - phpBB2
      - Invision Board
      - vBulletin
      - Woltlab Burning Board 2.x
      - Serendipity Weblog
      - phpAds(New)
      - ...


Proof of Concept:

   The Hardened-PHP project is not going to release exploits for any
   of these vulnerabilities to the public.


CVE Information:

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the name CAN-2004-1018 to issues 01, 02, the name
   CAN-2004-1019 to issues 06, 07, the name CAN-2004-1063 to issue 03
   and the name CAN-2004-1064 to issues 04, 05.


Recommendation:

   It is strongly recommended to upgrade to the new PHP-Releases as
   soon as possible, because a lot of PHP applications expose the
   easy to exploit unserialize() vulnerability to remote attackers.
   Additionally we always recommend to run PHP with the Hardened-PHP
   patch applied.


GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2004 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBwIzIRDkUzAqGSqERArD/AKCqerfjCYJnZ2vy7tRYth3VqWmqhwCbB+LL
s12EomCQ0IstWmz3F/QhM8E=
=21xF
-----END PGP SIGNATURE-----
012004.txt (5,951 bytes)   

Relationships

Relationship GraphDependency Graph
child of 0004937 closedvboctor Mantis 1.0.0a1 Release 

Activities

thraxisp

thraxisp

2004-12-17 20:04

reporter   ~0008717

Note that the suggested fix to resolve this is upgrade to php 4.3.9 or 5.0.2.

serialize/unserialize seems to be used in two places: 1) permanent (last non-temporary) filter for view_all_bugs stored in a cookie, and 2) in the graphs for temp storage of data arrays in the database. IMHO, only the former should be addresses. Maybe we should replace the filter cookie with a token storage?
grangeway

grangeway

2004-12-18 05:41

reporter   ~0008721

Stupid point, but whereas we can do stuff, surely it's the end users responsibility to be running the latest 'secure' version of apache/php ?

I'm guessing that we might move the filter cookie -> tokens or at least evaluate that move. It's one of the reasons i've left the tokens_api partly implemented with a documented TODO as we're likely to use it more in the future, and might want to change some of the internal details later on.
thraxisp

thraxisp

2005-04-12 09:16

reporter   ~0009794

I reviewed the code again. Data is serialized in a few places, before storage in the database. In no case, in 1.0.0a1 is the serialized data retrieved from the user (always from the database).