#47828 [Fbk->Opn]: Seg Fault in openssl_x509_parse

reinke at securityspace dot com Sun, 29 Mar 2009 14:49:06 -0700

 ID:               47828
 User updated by:  reinke at securityspace dot com
 Reported By:      reinke at securityspace dot com
-Status:           Feedback
+Status:           Open
 Bug Type:         OpenSSL related
 Operating System: Linux (Debian Lenny)
 PHP Version:      5.2.9
 Assigned To:      pajoye
 New Comment:


Further testing has confirmed this is reproducible
on a variety of Linux distributions.  Some of these
have been tested with virgin (installed from ISOs,
but no updates applied) configurations, some with
fully up to date (all updates applied).

Confirmed as reproducible:

Distro          PHP version
-------------------------------------------------------------
Debian 5.0      5.2.6-1+lenny2
Ubuntu 8.10     PHP 5.2.6-2ubuntu4.1 with Suhosin-Patch 0.9.6.2
Fedora Core 10  PHP 5.2.6
Slackware 12.1  PHP 5.2.5
Gentoo          PHP 5.2.6-r7 (old version),  5.2.8-r2 (up to date)

Debian 5.0 systems are fully up to date.
Ubuntu 8.10 tested 2 setups, both seg faulted.
    - Setup 1: Latest PHP, ISO version of OpenSSL
    - Setup 2: Fully updated system
Fedora Core 10 - tested both on virgin setup as well as
    fully up to date systems. Both setups segfaulted.
Slackware - only virgin setup tested.
Gentoo - 5.2.6-r7 - known out of date.  5.2.8-r2 involved a sync
    and rebuild of openssl and php along with a few other packages.
    Both seg faulted.

On vulnerable systems, running

   "openssl x509 -inform PEM -in badcert.pem -text"

where the signed pub key provided earlier is in "badcert.pem"
(with \n markers appropriately changed to newline)
spits out all information in the cert without any 
apparent problems.

The Unbutu 8.10 gdb backtrace is typical of
of the systems we tested (we stopped checking
backtraces after Deb, Ubuntu, FC10 all produced
the same thing)

# gdb php
<snip>
(gdb) r core2.php
<snip>
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb78088e0 (LWP 4011)]
0xb79dbb56 in memcpy () from /lib/tls/i686/cmov/libc.so.6
(gdb) bt
#0  0xb79dbb56 in memcpy () from /lib/tls/i686/cmov/libc.so.6
#1  0xffffffff in ?? ()
#2  0x082dea85 in add_next_index_stringl ()
#3  0x0809df90 in ?? ()
#4  0x0809e23a in zif_openssl_x509_parse ()
#5  0x08313f23 in ?? ()
#6  0x082ff3bb in execute ()
<snip>

If you really think our SSL packages were out of
date, we can provide that info. But we're pretty sure
that in situations where we said we're fully up to date,
that we were.

We're aware we could install PHP from sources directly
from php.net, but for maintenance reasons _really_ want
to use the distro's packages.  ALL of the above testing
was using the distro's prepackaged software.

We could NOT reproduce this on:
   CentOS 5.1 (php 5.1.6-20.el5_2.1)
   RedHat 5.2 (php 5.1.6-20.el5)


Previous Comments:
------------------------------------------------------------------------

[2009-03-29 17:20:16] [email protected]

Can't reproduce on Ubuntu 8.10, windows or latest debian (using PHP
sources).

I would suggest to first see if you have the latest openssl (openssl
debian's package contains the latest fixes) install.

------------------------------------------------------------------------

[2009-03-29 16:09:50] [email protected]

Please try using our official releases, not the patched PHP from
Debian. 

I will also test your csr later this week.

------------------------------------------------------------------------

[2009-03-29 16:02:30] reinke at securityspace dot com

Description:
------------
A user calling openssl_x509_parse is able to induce a segfault
by passing in specific data. In this case, the data is a certificate
found on a public SSL site.

Command line version of PHP is used in latest Debian (Lenny),
php -v reports: (Contrary to your form - I'm guessing Lenny is
up to 5.2.9 with the patch line as shown below)

PHP 5.2.6-1+lenny2 with Suhosin-Patch 0.9.6.2 (cli) (built: Jan 26 2009
22:41:04)

PHP script that reproduces the problem is included below.

This certificate is one of more than half a million.  Only this 
certificate caused the coredump.  Older (_much_ older - PHP 4.4.1)
version of PHP did not exhibit this problem.

In all fairness, it's not clear to me at this point that the problem
is in PHP - it's looking highly possible to be in the underlying
libraries.

Reproduce code:
---------------
<?
        $certnl = "-----BEGIN
CERTIFICATE-----\nMIIEKzCCAxOgAwIBAgICAtUwDQYJKoZIhvcNAQEFBQAwgewxFjAUBgNVBC0DDQBT\nUFI5NjEyMTdOSzkxETAPBgNVBAcTCENveW9hY+FuMQswCQYDVQQIEwJERjELMAkG\nA1UEBhMCTVgxDjAMBgNVBBETBTA0MDAwMR8wHQYDVQQJExZQYW56YWNvbGEgIzYy\nIDFlciBwaXNvMSgwJgYDVQQDEx9BdXRvcmlkYWQgY2VydGlmaWNhZG9yYSBJbnRl\ncm5hMRMwEQYDVQQLEwpUZWNub2xvZ+1hMRMwEQYDVQQKEwpTZWd1cmlEYXRhMSAw\nHgYJKoZIhvcNAQkBFhFhY0BzZWd1cmlkYXRhLmNvbTAeFw0wNzAyMTIwMDAwMDBa\nFw0xMjAyMjkwMDAwMDBaMIIBDDEWMBQGA1UELQMNAFNQUjk2MTIxN05LOTEXMBUG\nA1UEBxMOQWx2YXJvIE9icmVnb24xDTALBgNVBAgTBEQuRi4xCzAJBgNVBAYTAk1Y\nMQ4wDAYDVQQREwUwMTAwMDEoMCYGA1UECRMfSW5zdXJnZW50ZXMgU3VyIDIzNzUs\nIDNlci4gUGlzbzEbMBkGA1UEAxMSd3d3LnNlZ3VyaWRhdGEuY29tMREwDwYDVQQL\nEwhJbnRlcm5ldDEpMCcGA1UEChMgU2VndXJpRGF0YSBQcml2YWRhLCBTLkEuIGRl\nIEMuVi4xKDAmBgkqhkiG9w0BCQEWGXBvc3RtYXN0ZXJAc2VndXJpZGF0YS5jb20w\ngZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANG/rb52Ou//dnkHysR5m7T4r8QM\nKOM/CP0OEXTOC+a+47RsZjqNiZsBkSeR92OFPpkw5bJ85IAD/Tgx7Tli3ryJfrdk\nWMfkXpzWW0YmeTrghL0DMNd8nYc9voVv+OGnIZ0W4Mhz31e!
 
iThmyy7Fs8ZlFyfkR\nREj5OQvq+z+NP/n/AgMBAAGjODA2MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1Ud\nDwQFAwMH6AAwEQYJYIZIAYb4QgEBBAQDAgBAMA0GCSqGSIb3DQEBBQUAA4IBAQCq\nnBqQEb7H6Gxi4KXBn1lrPd5KWO40iSD7BREU8e0eI1ZLZvi4IEAlmyG81Le037jo\nirMUDS2Ue5WI61QnGw4LhnYlCIuffU7fTs+UbrOE4qNU67G+XBfjk0gHkXHmEYbb\nEOR9OHeDcYFgcl3j4SLg/ff6oRYbMkQRCrgQzrl/MNkuqDWJrcigS9OD6OTgRyEo\n7Zvf7/ofWIzTIvINbfjQzSTr8AbI4SbuU9iKgVGDQQF6cfpBmOYgnr3QPuoTQCoU\npz9H9wBlz/Nmw12YtfCmGqpIFAxpRGFQTGPNJWr4FdZkUM792lm7Sf3zzSvi8Ruz\nM3dwifRsZyZyruy4tMsu\n-----END
CERTIFICATE-----\n";
        $cert = str_replace("\\n", "\n", $certnl);
        $arr = openssl_x509_parse($cert);
?>


Expected result:
----------------
Not see a segmentation fault.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb77946d0 (LWP 10516)]
0xb7985c1c in memcpy () from /lib/i686/cmov/libc.so.6
(gdb) bt
#0  0xb7985c1c in memcpy () from /lib/i686/cmov/libc.so.6
#1  0x082b7571 in _estrndup ()
#2  0x082d8245 in add_next_index_stringl ()
#3  0x0809d6d0 in ?? ()
#4  0x08fea7c0 in ?? ()
#5  0xb7f332e0 in ?? () from /lib/ld-linux.so.2
#6  0xb77bab48 in ?? ()
#7  0x00000001 in ?? ()
#8  0x00000001 in ?? ()
#9  0xbfc385c4 in ?? ()
#10 0x08fea7c0 in ?? ()
#11 0x083587c3 in ?? ()
#12 0x08fe93b4 in ?? ()
#13 0x00000001 in ?? ()
#14 0xb78da3e8 in ?? () from /usr/lib/i686/cmov/libcrypto.so.0.9.8
#15 0x0901e9a8 in ?? ()
#16 0x0901ee20 in ?? ()
#17 0xffffffff in ?? ()
#18 0x00000001 in ?? ()
#19 0xbfc38758 in ?? ()
#20 0xb7f332e0 in ?? () from /lib/ld-linux.so.2
#21 0x0809d947 in zif_openssl_x509_parse ()
Backtrace stopped: frame did not save the PC



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=47828&edit=1

#47828 [Fbk->Opn]: Seg Fault in openssl_x509_parse

Reply via email to