PHP remote DoS vulnerability in-depth analysis and protection solution-vulnerability warning-the black bar safety net

ID MYHACK58:62201562777
Type myhack58
Reporter 佚名
Modified 2015-05-23T00:00:00


5 month 1 4 day, domestic broke the php remote DoS vulnerability, the official number 6 9 3 6 4 in. Use the vulnerability to construct the poc to initiate a link, it is easy to cause the target host cpu utilization 1 0 0%, to PHP more version. Nsfocus Threat Response Center immediately launched the emergency mechanism, emergency response, work immediately started. 1 5 during the night, start the vulnerability analysis work, the synchronization will analyze the results of the product team; 1 6, released product rule upgrade notice, nsfocus RSAS upgrading of products successively-ready customers through the online and offline upgrade method, you can get the vulnerability detection capability; at the same time, the online vulnerability detection engine is ready; 1 7th, a vulnerability in-depth analysis. Nsfocus NIPS product upgrade-ready customers through the online and offline upgrade method, you can get vulnerability protection capabilities; 1 8 June, we recall that the PHP vulnerability information elements from the PHP vulnerability protection angle are summed up, for everyone to develop a defensive scheme to provide supplementary information. PHP remote DoS vulnerability 4 on 3 May, it was in the PHP official website to submit PHP remote DoS vulnerability, the PHP Multipart/form-data remote dos Vulnerability, the code 6 9 3 6 4 in. Due to the vulnerability relates to PHP of all versions, so the impact is large, once released, quickly lead to a multifaceted concern. 1 4 May, a variety of PoC has been circulating on the network is. This vulnerability has the following characteristics: Once exploited successfully, it can be in a rapid consumption is to attack the host's CPU resources, so as to achieve a DoS of purpose; PHP in the global deployment of the amount is quite large, to the attacker provides considerable can attack the target; PHP official is currently only shows 5. 4 and 5. 5 version of the patch affected by this vulnerability of software and systems including PHP below version. PHP 5.0.0 – 5.0.5 PHP 5.1.0 – 5.1.6, PHP 5.2.0 – 5.2.17, PHP 5.3.0 – 5.3.29 PHP-5.4.0 – 5.4.40 PHP 5.5.0 – 5.5.24 PHP 5.6.0 – 5.6.8 Nsfocus perennial close attention to PHP security issues. Nsfocus Threat Response Center in informed of relevant information, immediately launched the emergency mechanism, the relevant work immediately started. This article will be the in-depth analysis of the vulnerability and given response options. PHP remote DoS vulnerability analysis 2 0 1 5 year 5 month 1 5 day and night, nsfocus Threat Response Center in the access PHP vulnerability to spread, but also in the vulnerability analysis of the work by reproduction of vulnerability during the attack, analysis of its working principle, to clearly identify and detect the vulnerability method. Boundary of key-value pairs separated by PHP is a popularWeb server - side programming language, it is powerful, easy to Use, use it to write web applications that can respond to large-scale the Http request, so many business environments are deployed PHP. Consider the normative, the PHP at the beginning of the design to follow the rfc specifications for each Protocol module in the package and during processing. PHP with other similarly follow the rfc specification of the language and the environment compared to, but is treated differently. From the rfc1867 start, the http Protocol began to support the”multipart/form-data”request, in order to accept a variety of data formats, including a variety of variables, and even file upload. multipart/form-data may contain a plurality of packets, each packet boundary(delimiter separated, and each packet contains a multi-line key-value pairs, key-value pairs separated by a colon, such a design is to let the program can clearly distinguish between these data. ! But if due to some reason, the key value of the middle is missing the colon, the PHP function will be the next pair of key values into the previous line, the formation of such key-value pairs,“key 1: Value 1 key 2 Value 2”in. Due to PHP key value of the combined algorithm is not optimized, things like this happen a few times also nothing, if millions, it becomes a disaster. In the following example, when a section reaches a certain number when the hundreds of thousands of rows or millions of rows, since each row key with the value and not between the colon separator, the function will automatically the next line of key-value pairs combined, so that data is more and more big, more and more long, the function for these data is the ongoing implementation of the memory allocation and release, the end is to attack the target host's CPU resources are exhausted. ! *Note: in PHP, the Boundary is that you can customize, such as“--WebKitFormBoundarypE33TmSNWwsMphqz” This code, in the capture when the display is as follows ! Boundary packet parsing process PHP in main/rfc1867. c, there are two function relates to the boundary of the analysis, including SAPI_API SAPI_POST_HANDLER_FUNC and multipart_buffer_headers function. DoS vulnerability appears in the main/rfc46675pxultipart_buffer_headers function. PHP to parse parse a multipart/form-data http request, the http request body of the entry function in SAPI_POST_HANDLER_FUNC(rfc1867. c in the function, SAPI_POST_HANDLER_FUNC function first parses the request boundary, that is, the POST request in the first definition of the boundary; and in its interior is called a multipart_buffer_headers, the function first find the boundary, that is, a reference boundary, and the definition of boundary comparison. If they are equal, i.e. find the first reference of the boundary, the next will be read line by line requesting input in order to resolve the body port header-that is, parsing the first reference boundary behind the content. SAPI_API SAPI_POST_HANDLER_FUNC multipart_buffer_headers The problem occurs in the function processing logic multipart_buffer_headers function in parsing the HTTP request in multipart header data, each time resolved by get_line to get the row key value pairs. When the parsed line is a blank character, or the emergence of a does not contain the ‘ : ‘ line, the line will be used as is on the row key value of the continuation process, the current value spliced into a key value pair, and in the stitching process, the function performs the following actions: Once memory allocation entry. value = emalloc(prev_len + cur_len + 1); Twice the memory copy memcpy(entry. value, prev_entry. value, prev_len);memcpy(entry. value + prev_len, line, cur_len); Once the memory is released zend_llist_remove_tail(header); When there is a plurality does not contain the ‘ : ‘ line, the PHP will be a large amount of memory allocation to release the operation, and the allocation of space and the copy of the length will grow. When the number of rows sufficient for a long time, the copy operation will significantly consume server CPU. The actual test, contains almost a million lines of header fields may make the CPU of the server holding the 1 0 0% a few seconds or tens of seconds. If concurrent multiple attack requests, may cause a longer time of resource usage.

[1] [2] next