ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: Advisory 13/2006: PHP HTML Entity Encoder Heap Overflow Vulnerability



> -----Original Message-----
> From: Stefan Esser [mailto:sesser@xxxxxxxxxxxxxxxx] 
> Sent: Friday, November 03, 2006 1:13 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
> Cc: red@xxxxxxxxx
> Subject: Advisory 13/2006: PHP HTML Entity Encoder Heap 
> Overflow Vulnerability
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
>                         Hardened-PHP Project
>                         www.hardened-php.net
> 
>                       -= Security  Advisory =-
> 
> 
>      Advisory: PHP HTML Entity Encoder Heap Overflow Vulnerability
>  Release Date: 2006/11/03
> Last Modified: 2006/11/03
>        Author: Stefan Esser [sesser@xxxxxxxxxxxxxxxx]
> 
>   Application: PHP 5 <= 5.1.6, PHP 4 <= 4.4.4
>      Severity: Bufferoverflows in htmlentities() and
>                htmlspecialchars() may result in arbitrary 
>                remote code execution
>          Risk: Critical
> Vendor Status: Vendor has released PHP 5.2.0 which fixes this issue
>    References: http://www.hardened-php.net/advisory_132006.138.html
> 
> 
> Overview:
> 
>    Quote from http://www.php.net
>    "PHP is a widely-used general-purpose scripting language that 
>     is especially suited for Web development and can be embedded 
>     into HTML."
>     
>    While we were searching for a hole in htmlspecialchars() and
>    htmlentities() to bypass the encoding of certain chars to exploit 
>    a possible eval() injection hole in another application we 
>    discovered that the implementation contains a possible 
>    bufferoverflow that can be triggered when the UTF-8 charset 
>    is selected.
>    
>    Unfortunately the whole purpose of both functions is to prepare 
>    userinput for HTML output. Therefore they are used in most PHP 
>    applications as protection against XSS and are always exposed
>    to userinput.
>    
>    By triggering the overflow it is possible to overwrite heap
>    management structures with a limited charset. This can result in
>    remote code execution. Exploitability has been proven against
>    for example Linux with glibc 2.3 in a test environment. It 
>    depends on the heap layout, the OS heap implementation and the 
>    used Zend Memory Manager.
> 
> 
> Details:
> 
>    The HTML entity encoder of PHP will increase the size of it's 
>    output buffer every time it reaches the end of the current buffer.
>    Unfortunately the check assumes that the maximum length of an
>    HTML entity is 8 chars, which is true for most entities. However
>    especially the Greek character set contains entities that are
>    longer than 8 chars. Because of this it is for example possible
>    to trigger the overflow by embedding Greek theta UTF-8 characters
>    into the input string.
>    
>    Because the longest HTML entity currently supported is 10 bytes
>    long this allows overflowing the buffer with the 2 bytes ';' and
>    '\0'. When exploiting heap overflows it can be enough to just
>    overwrite the appending memory structure with a single '\0' char
>    and control the content of the following memory block to execute 
>    arbitrary code.
>    
>    While the above Greek character exploit is only possible in the
>    htmlentities() function it is also possible to overwrite with up
>    to 7 chars by embedding broken UTF-8 characters into the string.
>    The characters may come from the limited charset 0x00, 0xc0-0xfd.
>    
>    On Linux glibc systems this is for example enough to trick realloc 
>    into believing that the next memory block is empty and long enough 
>    to store the additional 128 bytes. The position of the buffer is 
>    therefore not changed and following writes to the output buffer
>    will overwrite the Zend Memory Manager structure of the following
>    block. This allows the typical linked list unlink exploit against
>    the Zend Memory Manager.
> 
> 
> Proof of Concept:
> 
>    The Hardened-PHP Project is not going to release a proof 
> of concept 
>    exploit for this vulnerability.
> 
> 
> Disclosure Timeline:
> 
>    31. October 2006  - Notified security@xxxxxxx, patch in CVS
>    01. November 2006 - Notified vendor-sec
>    03. November 2006 - PHP developers released PHP 5.2.0
>    03. November 2006 - Public Disclosure
> 
> 
> Recommendation:
> 
>    For PHP 4 users it is strongly recommended to patch their 
> version of 
>    PHP with the following patch until php.net is providing 
> PHP4 updates.
> 
>    
> http://cvs.php.net/viewvc.cgi/php-src/ext/standard/html.c?r1=1
> .63.2.23.2.2&r2=1.63.2.23.2.3&view=patch
>  
>    As usual we very strongly recommend that you install Suhosin-Patch
>    and the Suhosin Extension, because once again this advisory proved
>    that remotely triggerable overflows in PHP still exist. It is 
>    therefore highly recommended by us to use Suhosin-Patch. It's 
>    canary protection will detect overflows and stop execution to
>    make exploitation very hard or impossible.
>    
>    FreeBSD and OpenBSD's PHP ports already come with Suhosin-Patch
>    activated by default.
>    
>    Grab your copy and more information at:
>    
>    http://www.hardened-php.net/suhosin/index.html
> 
> 
> CVE Information:
> 
>    The Common Vulnerabilities and Exposures project 
> (cve.mitre.org) has
>    assigned the name CVE-2006-5465 to this vulnerability.
>                
> 
> GPG-Key:
> 
>    http://www.hardened-php.net/hardened-php-signature-key.asc
> 
>    pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
>    Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 
> 0A86 4AA1
> 
> 
> Copyright 2006 Stefan Esser. All rights reserved.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
> 
> iD8DBQFFSnmgRDkUzAqGSqERAksrAJsHlMJD90XU9KtiFI6PpyLddaZ2wQCgpR++
> VRAQBzFoGx5SJemSTgxKTaI=
> =6OY5
> -----END PGP SIGNATURE-----
> 
> 



 




Copyright © Lexa Software, 1996-2009.