PHP zend_hash_init函数拒绝服务攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191650 漏洞类型 缓冲区溢出
发布时间 2007-02-20 更新时间 2007-02-20
CVE编号 CVE-2007-0988 CNNVD-ID CNNVD-200702-350
漏洞平台 N/A CVSS评分 4.3
|漏洞来源
https://www.securityfocus.com/bid/86599
https://cxsecurity.com/issue/WLB-2007030013
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200702-350
|漏洞详情
PHP5.2.1版本之前的5版本中的zend_hash_init函数以及PHP4.4.5版本之前的4版本,当在一个64-bit平台上运行时,见机行事的攻击者通过与某些整数表达式断开连接,在负值检查后引起32位自变量的运行,并造成拒绝服务(死循环)例如"a:2147483649:{"自变量。
|漏洞EXP
A user supplied serialized string might trigger on 64 bit systems a tight endless loop within zend_hash_init() exhausting CPU ressources.

Before PHP 4.3.11 was released it was discovered that there is a problem in the unserialize() function that could be exploited to produce a tight endless loop inside zend_hash_init() through a negative array element count stored inside the serialized string.

This was fixed by raising an error when a negative integer value was found before it was passed to the zend_hash_init() function. When such a value was passed down to that function is resulted in a shift left integer overflow that caused a tight endless loop.

A while later there were troubles with unserialize() on 64bit systems which resulted in several variables being changed from the 'int' to 'long' type. Unfortunately zend_hash_init() still works with 'int's and therefore only the lower 32 bit of the number are passed from unserialize() to zend_hash_init().

Therefore the protection against negative element counts was no longer working, because on a 64bit system a 32bit number inside a signed 'long' can still be positive.
Proof of concept, exploit or instructions to reproduce

To reproduce it just try the following PHP code on a 64bit system.

<?php unserialize("a:2147483649:{"); ?>

Notes

PHP 4.4.5 and PHP 5.2.1 already contain fixes for this vulnerability.

You should also keep in mind that the script will still be terminated after the maximum execution time. However when this time is for example set to 30 seconds and 10 requests are sent that trigger the endless loop, this will result in a 100% CPU load situation for 5 minutes.
|受影响的产品
Zend Engine 0 PHP PHP 5.1.6 + Ubuntu Ubuntu Linux 6.10 sparc + Ubuntu Ubuntu Linux 6.10 powerpc +
|参考资料

来源:MISC
链接:http://www.php.net/releases/5_2_1.php
来源:issues.rpath.com
链接:https://issues.rpath.com/browse/RPL-1088
来源:XF
名称:php-zendhashinit-dos(32709)
链接:http://xforce.iss.net/xforce/xfdb/32709
来源:DEBIAN
名称:DSA-1264
链接:http://www.us.debian.org/security/2007/dsa-1264
来源:UBUNTU
名称:USN-424-2
链接:http://www.ubuntu.com/usn/usn-424-2
来源:UBUNTU
名称:USN-424-1
链接:http://www.ubuntu.com/usn/usn-424-1
来源:TRUSTIX
名称:2007-0009
链接:http://www.trustix.org/errata/2007/0009/
来源:SECTRACK
名称:1017671
链接:http://www.securitytracker.com/id?1017671
来源:BUGTRAQ
名称:20070227rPSA-2007-0043-1phpphp-mysqlphp-pgsql
链接:http://www.securityfocus.com/archive/1/archive/1/461462/100/0/threaded
来源:REDHAT
名称:RHSA-2007:0088
链接:http://www.redhat.com/support/errata/RHSA-2007-0088.html
来源:REDHAT
名称:RHSA-2007:0082
链接:http://www.redhat.com/support/errata/RHSA-2007-0082.html
来源:REDHAT
名称:RHSA-2007:0081
链接:http://www.redhat.com/support/errata/RHSA-2007-0081.html
来源:REDHAT
名称:RHSA-2007:0076
链接:http://www.redhat.com/support/errata/RHSA-20