Advisories : PHP remote format string vulnerabilities

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : PHP remote format string vulnerabilities

Title:	PHP remote format string vulnerabilities
Released by:	Jouko Pynnönen
Date:	12th October 2000
Printable version:	Click here

OVERVIEW



PHP is a commonly used HTML-embedded scripting language. Format string

vulnerabilities exist in the error logging routines of PHP versions 3

and 4, allowing remote users to execute arbitrary code under the web

server's user id. A web server having PHP installed and one or more PHP

scripts is vulnerable to the problem if error logging is enabled in

php.ini. Also any PHP script using the "syslog" command of PHP may be

vulnerable, regardless of error logging.



The problem was tested on a Red Hat Linux system having Apache and

mod_php3 installed. Error logging was enabled in php.ini. With a test

exploit program, a shellcode could be run remotely under the web server

user id, which is typically not the root user.







BUG DETAILS



In main.c, function php3_log_error():



#if HAVE_SYSLOG_H

                if (!strcmp(php3_ini.error_log, "syslog")) {

                        syslog(LOG_NOTICE, log_message);

                        return;

                } else {

#endif

                        log_file = fopen(php3_ini.error_log, "a");

                        if (log_file != NULL) {

                                fprintf(log_file, log_message);

...



This one is a classical "format bug". There are a couple of other

similar fprintf() calls in the same function, as well as Apache API

function calls to aplog_error() and log_error() which all use the

log_message as a format string.



The message can be trivially generated with any php3 script on a web

server, for example by sending a POST request with content-type

"multipart/form-data" but without a boundary string. A shellcode and

other data may be placed in the error message. The error message can be

generated without the script actually wanting to process any POST data.



Another format bug in functions/syslog.c, function php3_syslog:



        syslog(priority->value.lval, message->value.str.val);



The "syslog" command of PHP takes two parameters, the priority/facility

number and the message itself. The message is always passed to libc

syslog() as a format string. Thus any program doing syslogging may be

vulnerable to a format string attack; details depend on the script in

question.



The code fragments above are taken from PHP 3 sources, but the

vulnerabilities exist in PHP version 4 too.







SOLUTION



Authors of PHP have been contacted (two weeks ago) and they have released

new versions of the software. OS vendors have been contacted as well and

they have, or will release fix packages shortly. A temporary workaround is

to disable error logging in php.ini, and disable any PHP scripts that use

the syslog command.



A new fixed version of PHP 4 is downloadable at



http://www.php.net/do_download.php?download_file=php-4.0.3.tar.gz







CREDITS



Vulnerability discovered by: Jouko Pynnönen 







--

Jouko Pynnönen          Online Solutions Ltd       Secure your Linux -

jouko@solutions.fi                                 http://www.secmod.com