From: gabe at mudbugmedia dot com Operating system: Gentoo Linux 2.6.17-hardened-r1 PHP version: 5.2.4 PHP Bug Type: MSSQL related Bug description: mssql_connect causes stack smashing attack protection
Description: ------------ When executing a PHP script over Apache 2.2 SAPI (not CGI), mssql_connect() causes Apache to exit with the following in the syslog: apache2: stack smashing attack in function tds_write_packet - terminated This occurs only after successfully connecting to a valid MSSQL server, but before authentication information is verified; supplying invalid username/password will still cause the error to trigger. However, entering in a non-listening IP to connect to will return false and continue execution. Gentoo developers identified this bug as PHP instead of Apache, as Apache is not responsible for the calling of the tds_write_packet() function Bug originally submitted here, but was reclassified as being UPSTREAM: http://bugs.gentoo.org/show_bug.cgi?id=191988 an strace of the process (capture started after initial connect `netstat -p` after connection was the only way I could determine which apache process to strace): Process 11348 attached - interrupt to quit poll([{fd=1027, events=POLLIN, revents=POLLIN}], 1, 300000) = 1 read(1027, "Host: kokiri.org\r\n", 8000) = 18 poll([{fd=1027, events=POLLIN, revents=POLLIN}], 1, 300000) = 1 read(1027, "\r\n", 8000) = 2 gettimeofday({1189537767, 899761}, NULL) = 0 gettimeofday({1189537767, 899905}, NULL) = 0 stat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 open("/www/.htaccess", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/www/kokiri.org/.htaccess", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/www/kokiri.org/htdocs/.htaccess", O_RDONLY|O_LARGEFILE) = 1028 fstat64(1028, {st_mode=S_IFREG|0664, st_size=79, ...}) = 0 read(1028, "RewriteEngine on\n\nRewriteRule ro"..., 4096) = 79 read(1028, "", 4096) = 0 close(1028) = 0 open("/www/kokiri.org/htdocs/findwork.php/.htaccess", O_RDONLY|O_LARGEFILE) = -1 ENOTDIR (Not a directory) setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={60, 0}}, NULL) = 0 rt_sigaction(SIGPROF, {0x503ec97b, [PROF], SA_RESTORER|SA_RESTART, 0x50aeab68}, {SIG_DFL}, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [PROF], NULL, 8) = 0 getcwd("/", 4095) = 2 chdir("/www/kokiri.org/htdocs") = 0 setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={30, 0}}, NULL) = 0 rt_sigaction(SIGPROF, {0x503ec97b, [PROF], SA_RESTORER|SA_RESTART, 0x50aeab68}, {0x503ec97b, [PROF], SA_RESTORER|SA_RESTART, 0x50aeab68}, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [PROF], NULL, 8) = 0 lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0 lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0 lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0 lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0 lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0 lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 stat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0 lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 open("/www/kokiri.org/htdocs/findwork.php", O_RDONLY) = 1028 fstat64(1028, {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 read(1028, "START!\r\n<?php \r\nob_flush();\r\nflu"..., 8192) = 175 read(1028, "", 8192) = 0 read(1028, "", 8192) = 0 close(1028) = 0 writev(1027, [{"HTTP/1.1 200 OK\r\nDate: Tue, 11 S"..., 125}, {"8\r\n", 3}, {"START!\r\n", 8}, {"\r\n", 2}], 4) = 138 brk(0x9fa8000) = 0x9fa8000 uname({sys="Linux", node="garlic", ...}) = 0 getuid32() = 81 open("/etc/passwd", O_RDONLY) = 1028 fcntl64(1028, F_GETFD) = 0 fcntl64(1028, F_SETFD, FD_CLOEXEC) = 0 _llseek(1028, 0, [0], SEEK_CUR) = 0 fstat64(1028, {st_mode=S_IFREG|0644, st_size=3040, ...}) = 0 mmap2(NULL, 3040, PROT_READ, MAP_SHARED, 1028, 0) = 0x4fc52000 _llseek(1028, 3040, [3040], SEEK_SET) = 0 munmap(0x4fc52000, 3040) = 0 close(1028) = 0 open("/var/www/.freetds.conf", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/etc/freetds.conf", O_RDONLY|O_LARGEFILE) = 1028 fstat64(1028, {st_mode=S_IFREG|0644, st_size=3572, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4fc52000 read(1028, "#\n#\n# $Id: freetds.conf,v 1.11"..., 4096) = 3572 read(1028, "", 4096) = 0 _llseek(1028, 0, [0], SEEK_SET) = 0 read(1028, "#\n#\n# $Id: freetds.conf,v 1.11"..., 4096) = 3572 read(1028, "", 4096) = 0 close(1028) = 0 munmap(0x4fc52000, 4096) = 0 getuid32() = 81 open("/etc/passwd", O_RDONLY) = 1028 fcntl64(1028, F_GETFD) = 0 fcntl64(1028, F_SETFD, FD_CLOEXEC) = 0 _llseek(1028, 0, [0], SEEK_CUR) = 0 fstat64(1028, {st_mode=S_IFREG|0644, st_size=3040, ...}) = 0 mmap2(NULL, 3040, PROT_READ, MAP_SHARED, 1028, 0) = 0x4fc52000 _llseek(1028, 3040, [3040], SEEK_SET) = 0 munmap(0x4fc52000, 3040) = 0 close(1028) = 0 open("/var/www/.interfaces", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/etc/freetds/interfaces", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = 1028 fstat64(1028, {st_mode=S_IFREG|0644, st_size=25460, ...}) = 0 mmap2(NULL, 25460, PROT_READ, MAP_SHARED, 1028, 0) = 0x4fc4c000 close(1028) = 0 futex(0x50be4a4c, FUTEX_WAKE, 2147483647) = 0 open("/usr/lib/gconv/ISO8859-1.so", O_RDONLY) = 1028 read(1028, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240\4\0"..., 512) = 512 fstat64(1028, {st_mode=S_IFREG|0755, st_size=9704, ...}) = 0 mmap2(NULL, 12300, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 1028, 0) = 0x4fc48000 mmap2(0x4fc4a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 1028, 0x1) = 0x4fc4a000 close(1028) = 0 mprotect(0x4fc4a000, 4096, PROT_READ) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 1028 setsockopt(1028, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 setsockopt(1028, SOL_TCP, TCP_NODELAY, [1], 4) = 0 time(NULL) = 1189537767 ioctl(1028, FIONBIO, [1]) = 0 connect(1028, {sa_family=AF_INET, sin_port=htons(1433), sin_addr=inet_addr("70.252.177.xxx")}, 16) = -1 EINPROGRESS (Operation now in progress) select(1029, NULL, [1024 1025 1026 1028], [1024 1025 1026 1028], {5, 0}) = 2 (left {5, 0}) time(NULL) = 1189537767 getsockopt(1028, SOL_SOCKET, SO_ERROR, [0], [4]) = 0 time(NULL) = 1189537767 select(1029, NULL, [1028], NULL, {5, 0}) = 1 (out [1028], left {4, 820000}) time(NULL) = 1189537768 send(1028, "\2\0\2\0\0\0\0\0garlic\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 512, MSG_NOSIGNAL|MSG_MORE) = 512 socket(PF_FILE, SOCK_DGRAM, 0) = 1029 connect(1029, {sa_family=AF_FILE, path="/dev/log"}, 110) = -1 EPROTOTYPE (Protocol wrong type for socket) close(1029) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 1029 connect(1029, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0 write(2, "*** stack smashing detected ***:"..., 54) = 54 write(1029, "*** stack smashing detected ***:"..., 54) = 54 write(2, "apache2: stack smashing attack i"..., 73) = 73 write(1029, "apache2: stack smashing attack i"..., 73) = 73 write(2, "Report to http://bugs.gentoo.org";..., 35) = 35 write(1029, "Report to http://bugs.gentoo.org";..., 35) = 35 close(1029) = 0 getpid() = 11348 kill(11348, SIGKILL) = 0 +++ killed by SIGKILL +++ Process 11348 detached Reproduce code: --------------- START! <?php ob_flush(); flush(); var_dump(mssql_connect('70.252.177.xxx', 'username', 'password')); ?> DONE! Expected result: ---------------- START! resource(4) of type (mssql link) DONE! Actual result: -------------- START! (then Apache exits and the error is logged to syslog) -- Edit bug report at http://bugs.php.net/?id=42631&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=42631&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=42631&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=42631&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=42631&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=42631&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=42631&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=42631&r=needscript Try newer version: http://bugs.php.net/fix.php?id=42631&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=42631&r=support Expected behavior: http://bugs.php.net/fix.php?id=42631&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=42631&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=42631&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=42631&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=42631&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=42631&r=dst IIS Stability: http://bugs.php.net/fix.php?id=42631&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=42631&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=42631&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=42631&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=42631&r=mysqlcfg
