ID: 42631 User updated by: gabe at mudbugmedia dot com Reported By: gabe at mudbugmedia dot com -Status: Feedback +Status: Open Bug Type: MSSQL related Operating System: Gentoo Linux 2.6.17-hardened-r1 PHP Version: 5.2.4 New Comment:
Same behavior occurs on the supplied dev link downloaded on 2007-09-12 configure settings for compile: './configure' '--prefix=/usr/lib/php5' '--host=i686-pc-linux-gnu' '-- mandir=/usr/lib/php5/man' '--infodir=/usr/lib/php5/info' '-- sysconfdir=/etc' '--cache-file=./config.cache' '--disable-cli' '-- with-apxs2=/usr/sbin/apxs2' '--with-config-file-path=/etc/php/apache2- php5' '--with-config-file-scan-dir=/etc/php/apache2-php5/ext-active' '--without-pear' '--disable-bcmath' '--with-bz2' '--disable-calendar' '--with-curl' '--without-curlwrappers' '--disable-dbase' '--disable- exif' '--without-fbsql' '--without-fdftk' '--disable-filter' '-- disable-ftp' '--with-gettext' '--without-gmp' '--disable-hash' '-- without-iconv' '--disable-ipv6' '--disable-json' '--without-kerberos' '--enable-mbstring' '--with-mcrypt' '--without-mhash' '--without-msql' '--with-mssql' '--without-ncurses' '--with-openssl' '--with-openssl- dir=/usr' '--disable-pcntl' '--disable-pdo' '--without-pgsql' '-- without-pspell' '--without-recode' '--disable-reflection' '--disable- simplexml' '--disable-shmop' '--without-snmp' '--disable-soap' '-- disable-sockets' '--disable-spl' '--without-sybase' '--without-sybase- ct' '--disable-sysvmsg' '--disable-sysvsem' '--disable-sysvshm' '-- without-tidy' '--disable-tokenizer' '--disable-wddx' '--disable- xmlreader' '--disable-xmlwriter' '--without-xmlrpc' '--without-xsl' '- -disable-zip' '--with-zlib' '--disable-debug' '--without-cdb' '-- without-db4' '--without-flatfile' '--without-gdbm' '--without-inifile' '--without-qdbm' '--without-freetype-dir' '--without-t1lib' '-- disable-gd-jis-conv' '--with-jpeg-dir=/usr' '--with-png-dir=/usr' '-- without-xpm-dir' '--with-gd' '--with-mysql=/usr' '--with-mysql- sock=/var/run/mysqld/mysqld.sock' '--without-mysqli' '--with-readline' '--without-libedit' '--without-mm' '--without-sqlite' '--with-pic' Previous Comments: ------------------------------------------------------------------------ [2007-09-12 11:40:06] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows (zip): http://snaps.php.net/win32/php5.2-win32-latest.zip For Windows (installer): http://snaps.php.net/win32/php5.2-win32-installer-latest.msi ------------------------------------------------------------------------ [2007-09-11 20:31:51] gabe at mudbugmedia dot com Description: ------------ When executing a PHP script over Apache 2.2 SAPI (not CGI), mssql_connect() causes Apache to exit with the following in the syslog: apache2: stack smashing attack in function tds_write_packet - terminated This occurs only after successfully connecting to a valid MSSQL server, but before authentication information is verified; supplying invalid username/password will still cause the error to trigger. However, entering in a non-listening IP to connect to will return false and continue execution. Gentoo developers identified this bug as PHP instead of Apache, as Apache is not responsible for the calling of the tds_write_packet() function Bug originally submitted here, but was reclassified as being UPSTREAM: http://bugs.gentoo.org/show_bug.cgi?id=191988 an strace of the process (capture started after initial connect `netstat -p` after connection was the only way I could determine which apache process to strace): Process 11348 attached - interrupt to quit poll([{fd=1027, events=POLLIN, revents=POLLIN}], 1, 300000) = 1 read(1027, "Host: kokiri.org\r\n", 8000) = 18 poll([{fd=1027, events=POLLIN, revents=POLLIN}], 1, 300000) = 1 read(1027, "\r\n", 8000) = 2 gettimeofday({1189537767, 899761}, NULL) = 0 gettimeofday({1189537767, 899905}, NULL) = 0 stat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 open("/www/.htaccess", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/www/kokiri.org/.htaccess", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/www/kokiri.org/htdocs/.htaccess", O_RDONLY|O_LARGEFILE) = 1028 fstat64(1028, {st_mode=S_IFREG|0664, st_size=79, ...}) = 0 read(1028, "RewriteEngine on\n\nRewriteRule ro"..., 4096) = 79 read(1028, "", 4096) = 0 close(1028) = 0 open("/www/kokiri.org/htdocs/findwork.php/.htaccess", O_RDONLY|O_LARGEFILE) = -1 ENOTDIR (Not a directory) setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={60, 0}}, NULL) = 0 rt_sigaction(SIGPROF, {0x503ec97b, [PROF], SA_RESTORER|SA_RESTART, 0x50aeab68}, {SIG_DFL}, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [PROF], NULL, 8) = 0 getcwd("/", 4095) = 2 chdir("/www/kokiri.org/htdocs") = 0 setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={30, 0}}, NULL) = 0 rt_sigaction(SIGPROF, {0x503ec97b, [PROF], SA_RESTORER|SA_RESTART, 0x50aeab68}, {0x503ec97b, [PROF], SA_RESTORER|SA_RESTART, 0x50aeab68}, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [PROF], NULL, 8) = 0 lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0 lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0 lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0 lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0 lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0 lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 stat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0 lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 open("/www/kokiri.org/htdocs/findwork.php", O_RDONLY) = 1028 fstat64(1028, {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 read(1028, "START!\r\n<?php \r\nob_flush();\r\nflu"..., 8192) = 175 read(1028, "", 8192) = 0 read(1028, "", 8192) = 0 close(1028) = 0 writev(1027, [{"HTTP/1.1 200 OK\r\nDate: Tue, 11 S"..., 125}, {"8\r\n", 3}, {"START!\r\n", 8}, {"\r\n", 2}], 4) = 138 brk(0x9fa8000) = 0x9fa8000 uname({sys="Linux", node="garlic", ...}) = 0 getuid32() = 81 open("/etc/passwd", O_RDONLY) = 1028 fcntl64(1028, F_GETFD) = 0 fcntl64(1028, F_SETFD, FD_CLOEXEC) = 0 _llseek(1028, 0, [0], SEEK_CUR) = 0 fstat64(1028, {st_mode=S_IFREG|0644, st_size=3040, ...}) = 0 mmap2(NULL, 3040, PROT_READ, MAP_SHARED, 1028, 0) = 0x4fc52000 _llseek(1028, 3040, [3040], SEEK_SET) = 0 munmap(0x4fc52000, 3040) = 0 close(1028) = 0 open("/var/www/.freetds.conf", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/etc/freetds.conf", O_RDONLY|O_LARGEFILE) = 1028 fstat64(1028, {st_mode=S_IFREG|0644, st_size=3572, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4fc52000 read(1028, "#\n#\n# $Id: freetds.conf,v 1.11"..., 4096) = 3572 read(1028, "", 4096) = 0 _llseek(1028, 0, [0], SEEK_SET) = 0 read(1028, "#\n#\n# $Id: freetds.conf,v 1.11"..., 4096) = 3572 read(1028, "", 4096) = 0 close(1028) = 0 munmap(0x4fc52000, 4096) = 0 getuid32() = 81 open("/etc/passwd", O_RDONLY) = 1028 fcntl64(1028, F_GETFD) = 0 fcntl64(1028, F_SETFD, FD_CLOEXEC) = 0 _llseek(1028, 0, [0], SEEK_CUR) = 0 fstat64(1028, {st_mode=S_IFREG|0644, st_size=3040, ...}) = 0 mmap2(NULL, 3040, PROT_READ, MAP_SHARED, 1028, 0) = 0x4fc52000 _llseek(1028, 3040, [3040], SEEK_SET) = 0 munmap(0x4fc52000, 3040) = 0 close(1028) = 0 open("/var/www/.interfaces", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/etc/freetds/interfaces", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = 1028 fstat64(1028, {st_mode=S_IFREG|0644, st_size=25460, ...}) = 0 mmap2(NULL, 25460, PROT_READ, MAP_SHARED, 1028, 0) = 0x4fc4c000 close(1028) = 0 futex(0x50be4a4c, FUTEX_WAKE, 2147483647) = 0 open("/usr/lib/gconv/ISO8859-1.so", O_RDONLY) = 1028 read(1028, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240\4\0"..., 512) = 512 fstat64(1028, {st_mode=S_IFREG|0755, st_size=9704, ...}) = 0 mmap2(NULL, 12300, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 1028, 0) = 0x4fc48000 mmap2(0x4fc4a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 1028, 0x1) = 0x4fc4a000 close(1028) = 0 mprotect(0x4fc4a000, 4096, PROT_READ) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 1028 setsockopt(1028, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 setsockopt(1028, SOL_TCP, TCP_NODELAY, [1], 4) = 0 time(NULL) = 1189537767 ioctl(1028, FIONBIO, [1]) = 0 connect(1028, {sa_family=AF_INET, sin_port=htons(1433), sin_addr=inet_addr("70.252.177.xxx")}, 16) = -1 EINPROGRESS (Operation now in progress) select(1029, NULL, [1024 1025 1026 1028], [1024 1025 1026 1028], {5, 0}) = 2 (left {5, 0}) time(NULL) = 1189537767 getsockopt(1028, SOL_SOCKET, SO_ERROR, [0], [4]) = 0 time(NULL) = 1189537767 select(1029, NULL, [1028], NULL, {5, 0}) = 1 (out [1028], left {4, 820000}) time(NULL) = 1189537768 send(1028, "\2\0\2\0\0\0\0\0garlic\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 512, MSG_NOSIGNAL|MSG_MORE) = 512 socket(PF_FILE, SOCK_DGRAM, 0) = 1029 connect(1029, {sa_family=AF_FILE, path="/dev/log"}, 110) = -1 EPROTOTYPE (Protocol wrong type for socket) close(1029) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 1029 connect(1029, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0 write(2, "*** stack smashing detected ***:"..., 54) = 54 write(1029, "*** stack smashing detected ***:"..., 54) = 54 write(2, "apache2: stack smashing attack i"..., 73) = 73 write(1029, "apache2: stack smashing attack i"..., 73) = 73 write(2, "Report to http://bugs.gentoo.org";..., 35) = 35 write(1029, "Report to http://bugs.gentoo.org";..., 35) = 35 close(1029) = 0 getpid() = 11348 kill(11348, SIGKILL) = 0 +++ killed by SIGKILL +++ Process 11348 detached Reproduce code: --------------- START! <?php ob_flush(); flush(); var_dump(mssql_connect('70.252.177.xxx', 'username', 'password')); ?> DONE! Expected result: ---------------- START! resource(4) of type (mssql link) DONE! Actual result: -------------- START! (then Apache exits and the error is logged to syslog) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=42631&edit=1
