PHP-5.3.9 Remote Arbitrary Code Execution Vulnerability (CVE-2012-0830) Detailed Explanation_PHP Tutorial

Remember the PHP Hash Collisions Ddos vulnerability I mentioned before? At first, the repair plan given by the development team was to report an error (E_ERROR) if it exceeds max_input_vars, which in turn caused PHP to end with an error. Later, In order to solve this problem more lightweight, we improved it and changed it to issue a warning (E_WARNING) if max_input_vars is exceeded, and no longer add to the destination array, but the process continues. Then we released 5.3.9.

This new fix has good intentions, but it brings about a serious problem (fixed in 5.3.10), which was originally discovered by Stefan Esser. Please see the previous (5.3.9) final Fix (php_register_variable_ex):

The code is as follows

Copy code

代码如下

复制代码

while (1) {      if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE           || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { //(3)           if (zend_hash_num_elements(symtable1)                if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {                     php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. ...", PG(max_input_vars)); // (1)                }                MAKE_STD_ZVAL(gpc_element);                array_init(gpc_element);                zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);           }           //......      }      //.....      symtable1 = Z_ARRVAL_PP(gpc_element_p); // (2)      goto plain; }

while (1) { if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { //(3) If (zend_hash_num_elements(symtable1) if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. ...", PG(max_input_vars)); // (1)           } MAKE_STD_ZVAL(gpc_element); array_init(gpc_element); zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); }            //...... } //..... symtable1 = Z_ARRVAL_PP(gpc_element_p); // (2) goto plain; }

Note that if you register an array variable at this time (similar to: a[]=2 in GET), and this variable happens to be the max_input_vars-th variable, a warning (1) will be triggered, and everything is normal at this time. .

However, if you still register an array variable at this time, but this variable is already the max_input_vars + 1th variable, then gpc_element_p will become an uninitialized pointer at this time, and because the logic will continue now, that is will go to position (2), causing an uninitialized pointer to be dereferenced. So, Boomb~

So, at this point, we can use this feature to do Ddos on 5.3.9. If the Server has Core Dump enabled, the effect will be very obvious.

However, this problem can also lead to a more serious problem:

Still the above code, there is a loop in the outermost layer. When this loop takes effect, when registering a pair similar to a[b]=2, the loop will be executed twice. The first time a will be inserted. [], insert b into a[] for the second time. Then let us pay attention to (3). If the desired element cannot be found in the destination array, **or the element is not an array**, then It will also directly cause the process to be left to (2), so problems arise.

For a POST string like this (default max_input_vars is 1000):

1=1&1=2&..........&999=1&x="I am a malicious string"&x[0]=

What will happen?

Let me describe it step by step:

1. There is no problem from 1 to 999, they are all inserted normally

2. x is 1000 elements, so a warning is triggered and there is no problem, x is inserted

3. When x[0] is inserted, statement (3) determines that it is not Arrary and enters the if body. However, statement (4) fails at this time, so the process finally flows to (2)

4. At this time, gpc_element_p points to x, which is the string we forged...

Now let’s look at the key data structure, zval:

The code is as follows

Copy code

代码如下	复制代码
struct _zval_struct {     /* Variable information */     zvalue_value value; /* value */     zend_uint refcount__gc;     zend_uchar type; /* active type */     zend_uchar is_ref__gc; };

struct _zval_struct {

/* Variable information */

代码如下	复制代码
typedef union _zvalue_value {     long lval; /* long value */     double dval; /* double value */     struct {         char *val;         int len;     } str;     HashTable *ht; /* hash table value */     zend_object_value obj; } zvalue_value;

zvalue_value value; /* value */ zend_uint refcount__gc; zend_uchar type; /* active type */ zend_uchar is_ref__gc; };

Then look at zvalue_value:

The code is as follows	Copy code
typedef union _zvalue_value { long lval; /* long value */ double dval; /* double value */ struct { char *val; int len; } str; HashTable *ht; /* hash table value */ zend_object_value obj; } zvalue_value;

zvalue_value is a union, so the memory of the string area we construct will be treated as a Hashtable structure:

uint nTableMask;

The code is as follows

代码如下

复制代码

typedef struct _hashtable {     uint nTableSize;     uint nTableMask;     uint nNumOfElements;     ulong nNextFreeElement;     Bucket *pInternalPointer; /* Used for element traversal */     Bucket *pListHead;     Bucket *pListTail;     Bucket **arBuckets;     dtor_func_t pDestructor; //注意这个     zend_bool persistent;     unsigned char nApplyCount;     zend_bool bApplyProtection; #if ZEND_DEBUG     int inconsistent; #endif } HashTable;

Copy code

typedef struct _hashtable {

uint nTableSize;

uint nNumOfElements;

ulong nNextFreeElement; Bucket *pInternalPointer; /* Used for element traversal */ Bucket *pListHead; Bucket *pListTail; Bucket **arBuckets; dtor_func_t pDestructor; //Pay attention to this zend_bool persistent;

unsigned char nApplyCount;

zend_bool bApplyProtection;

#if ZEND_DEBUG int inconsistent; #endif } HashTable;

In the Hashtable structure, there is a pDestructor. This pointer points to a function. When there are elements in the Hashtable that need to be cleared, it will be called... In other words, you can set an address (pDestructor) as you like, and then let PHP call it (inducing an element to be deleted). http://www.bkjia.com/PHPjc/629666.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629666.htmlTechArticleDo you still remember the PHP Hash Collisions Ddos vulnerability I mentioned before? At the beginning, the repair plan provided by the development team , what is used is that if max_input_vars is exceeded, an error (E_ERROR) will be reported, which will lead to P...