Suhosin PHP Extension Transparent Cookie Encryption Stack Buffer Overflow

2012-01-19T00:00:00
ID PACKETSTORM:108837
Type packetstorm
Reporter Stefan Esser
Modified 2012-01-19T00:00:00

Description

                                        
                                            `  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
  
SektionEins GmbH  
www.sektioneins.de  
  
-= Security Advisory =-  
  
Advisory: Suhosin PHP Extension Transparent Cookie Encryption Stack  
Buffer Overflow  
Release Date: 2012/01/19  
Last Modified: 2012/01/19  
Author: Stefan Esser [stefan.esser[at]sektioneins.de]  
  
Application: Suhosin Extension <= 0.9.32.1  
Severity: A possible stack buffer overflow in Suhosin extension's  
transparent cookie encryption that can only be triggered  
in an uncommon and weakened Suhosin configuration can lead  
to arbitrary remote code execution, if the FORTIFY_SOURCE  
compile option was not used when Suhosin was compiled.  
Risk: Medium  
Vendor Status: Suhosin Extension 0.9.33 was released which fixes this  
vulnerability  
Reference: http://www.suhosin.org/  
https://github.com/stefanesser/suhosin  
  
Overview:  
  
Quote from http://www.suhosin.org  
"Suhosin is an advanced protection system for PHP installations.  
It was designed to protect servers and users from known and  
unknown flaws in PHP applications and the PHP core. Suhosin comes  
in two independent parts, that can be used separately or in  
combination. The first part is a small patch against the PHP  
core, that implements a few low-level protections against  
buffer overflows or format string vulnerabilities and the second  
part is a powerful PHP extension that implements all the other  
protections.."  
  
During an internal audit of the Suhosin PHP extension, which is  
often confused with the Suhosin PHP Patch, although they are not  
the same, a possible stack based buffer overflow inside the  
transparent cookie encryption feature was discovered.  
  
If successfully exploited this vulnerability can lead to arbitrary  
remote code execution. However further investigation into the  
vulnerability revealed that it can only be triggered if the admin  
has not only activated transparent cookie encryption, but also  
explicitly disabled several other security features of Suhosin.  
In addition to that remote exploitation requires a PHP application  
that puts unfiltered user input into a call to the header()  
function that sends a Set-Cookie header.  
  
Furthermore most modern unix systems compile the Suhosin extension  
with the FORTIFY_SOURCE flag, which will detect the possible buffer  
overflow and abort execution before something bad can happen.  
  
Details:  
  
The transparent cookie encryption of Suhosin is disabled by default  
because it stops applications using JavaScript to access cookies,  
which would break these applications. In order to activate it an  
admin has to enable this feature in the configuration file:  
  
suhosin.cookie.encrypt = On  
  
Once activated all incoming cookies will be decrypted and all  
outgoing Set-Cookie HTTP headers will be rewritten to only contain  
encrypted data. When this happens the following code of Suhosin  
extension will be triggered.  
  
char *suhosin_encrypt_single_cookie(char *name, int name_len, char  
*value, int value_len, char *key TSRMLS_DC)  
{  
char buffer[4096];  
char buffer2[4096];  
char *buf = buffer, *buf2 = buffer2, *d, *d_url;  
int l;  
  
if (name_len > sizeof(buffer)-2) {  
buf = estrndup(name, name_len);  
} else {  
memcpy(buf, name, name_len);  
buf[name_len] = 0;  
}  
  
...  
  
if (strlen(value) <= sizeof(buffer2)-2) {  
memcpy(buf2, value, value_len);  
buf2[value_len] = 0;  
} else {  
buf2 = estrndup(value, value_len);  
}  
  
The problem with this code is that the second call to mempcy()  
uses strlen() to check if there is enough buffer space but  
uses the variable value_len to determine the amount of bytes  
to copy. The problem is that there could be a NUL byte inside  
the value of the cookie, which will result in a stack based  
buffer overflow. While the same code can also be found inside  
the suhosin_decrypt_single_cookie() function the problem cannot  
be exploited, because in that case there cannot be a NUL byte.  
  
To understand the limited impact of this vulnerability it is  
important to know that NUL bytes are not allowed inside HTTP  
headers in a default Suhosin installation. In order to be  
vulnerable it is therefore required that the admin explicitly  
weakened security by disabling the HTTP response splitting  
protection of Suhosin by using the following configuration:  
  
suhosin.multiheader=On  
  
The next thing to know is that PHP applications normally use  
the functions setcookie() and setrawcookie() to set cookies.  
Both functions are however not affected by the problem  
because both functions will eliminate a possible NUL byte  
when constructing the Set-Cookie header. Therefore the only  
way to trigger this vulnerability is to call the header() function  
directly with a "Set-Cookie" header and put unfiltered user  
input into the cookie value. This is very uncommon in normal  
PHP applications.  
  
In addition to that the default configuration of Suhosin will not  
allow NUL bytes in user input. Therefore in order to trigger the  
vulnerability remotely the user input must have been double  
decoded or the admin must have weakened the installation once  
again by disabling the protection against NUL bytes. This can be  
done by changing the configuration to.  
  
suhosin.request.disallow_nul=Off  
suhosin.get.disallow_nul=Off  
suhosin.post.disallow_nul=Off  
suhosin.cookie.disallow_nul=Off  
  
Finally even if the vulnerability is triggerable from remote it  
depends on the compilation of the Suhosin extension if the bug  
can be abused. Most modern unix systems will compile the Suhosin  
extension with the FORTIFY_SOURCE compile option, which will  
detect the buffer overflow before it actually happens and abort  
execution.  
  
If either suhosin.multiheader or suhosin.cookie.encrypt are set  
to "off" in your configuration than you are safe from remote  
attacks. In addition to that the default configuration of  
suhosin.perdir disallows to set these variables from .htaccess  
which also provides some protection against local attackers.  
  
Proof of Concept:  
  
Locally the problem can be reproduced by the following PHP code:  
  
<?php header("Set-Cookie: x=xxx".chr(0).str_repeat("A",10000));  
  
If this piece of code does not affect your PHP process at all then  
your current configuration is safe. Otherwise it depends if the  
Suhosin extension was compiles with the FORTIFY_SOURCE option.  
  
Disclosure Timeline:  
  
12. January 2012 - Vulnerability was found during an internal audit  
14. January 2012 - Vulnerability was fixed in the source code  
19. January 2012 - Public Disclosure  
  
Recommendation:  
  
It is recommended to upgrade to the latest version of Suhosin  
extension, which can be downloaded at:  
  
http://www.suhosin.org  
  
The latest development version of the Suhosin extension can always  
be found at:  
  
https://github.com/stefanesser/suhosin  
  
CVE Information:  
  
The Common Vulnerabilities and Exposures project (cve.mitre.org) has  
not assigned a name to this vulnerability.  
  
GPG-Key:  
  
pub 1024D/15ABDA78 2004-10-17 Stefan Esser  
Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78  
  
Copyright 2012 SektionEins GmbH. All rights reserved.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)  
Comment: GPGTools - http://gpgtools.org  
  
iEYEARECAAYFAk8YQk8ACgkQSuF5XhWr2ng9ugCfbkASa9sBp6pV32LYZDKKUFbl  
0mgAn2sNVSZBEokgcc+0+Xh8oII09xQv  
=xP22  
-----END PGP SIGNATURE-----  
`