search
HomeBackend DevelopmentPHP TutorialPHP-5.3.9 Remote Arbitrary Code Execution Vulnerability (CVE-2012-0830) Detailed Explanation_PHP Tutorial

Remember the PHP Hash Collisions Ddos vulnerability I mentioned before? At first, the repair plan given by the development team was to report an error (E_ERROR) if it exceeds max_input_vars, which in turn caused PHP to end with an error. Later, In order to solve this problem more lightweight, we improved it and changed it to issue a warning (E_WARNING) if max_input_vars is exceeded, and no longer add to the destination array, but the process continues. Then we released 5.3.9.

This new fix has good intentions, but it brings about a serious problem (fixed in 5.3.10), which was originally discovered by Stefan Esser. Please see the previous (5.3.9) final Fix (php_register_variable_ex):

The code is as follows Copy code
 代码如下 复制代码

while (1) {

     if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE

          || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { //(3)

          if (zend_hash_num_elements(symtable1)

               if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {

                    php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. ...", PG(max_input_vars)); // (1)

               }

               MAKE_STD_ZVAL(gpc_element);

               array_init(gpc_element);

               zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);

          }

          //......

     }

     //.....

     symtable1 = Z_ARRVAL_PP(gpc_element_p); // (2)

     goto plain;

}

while (1) { if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { //(3) If (zend_hash_num_elements(symtable1) if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. ...", PG(max_input_vars)); // (1)           } MAKE_STD_ZVAL(gpc_element); array_init(gpc_element); zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); }            //...... } //..... symtable1 = Z_ARRVAL_PP(gpc_element_p); // (2) goto plain; }


Note that if you register an array variable at this time (similar to: a[]=2 in GET), and this variable happens to be the max_input_vars-th variable, a warning (1) will be triggered, and everything is normal at this time. .

However, if you still register an array variable at this time, but this variable is already the max_input_vars + 1th variable, then gpc_element_p will become an uninitialized pointer at this time, and because the logic will continue now, that is will go to position (2), causing an uninitialized pointer to be dereferenced. So, Boomb~

So, at this point, we can use this feature to do Ddos on 5.3.9. If the Server has Core Dump enabled, the effect will be very obvious.

However, this problem can also lead to a more serious problem:

Still the above code, there is a loop in the outermost layer. When this loop takes effect, when registering a pair similar to a[b]=2, the loop will be executed twice. The first time a will be inserted. [], insert b into a[] for the second time. Then let us pay attention to (3). If the desired element cannot be found in the destination array, **or the element is not an array**, then It will also directly cause the process to be left to (2), so problems arise.

For a POST string like this (default max_input_vars is 1000):

1=1&1=2&..........&999=1&x="I am a malicious string"&x[0]=


What will happen?

Let me describe it step by step:

1. There is no problem from 1 to 999, they are all inserted normally

2. x is 1000 elements, so a warning is triggered and there is no problem, x is inserted

3. When x[0] is inserted, statement (3) determines that it is not Arrary and enters the if body. However, statement (4) fails at this time, so the process finally flows to (2)

4. At this time, gpc_element_p points to x, which is the string we forged...

Now let’s look at the key data structure, zval:

The code is as follows Copy code
 代码如下 复制代码

struct _zval_struct {

    /* Variable information */

    zvalue_value value; /* value */

    zend_uint refcount__gc;

    zend_uchar type; /* active type */

    zend_uchar is_ref__gc;

};

struct _zval_struct {


/* Variable information */

 代码如下 复制代码

typedef union _zvalue_value {

    long lval; /* long value */

    double dval; /* double value */

    struct {

        char *val;

        int len;

    } str;

    HashTable *ht; /* hash table value */

    zend_object_value obj;

} zvalue_value;

zvalue_value value; /* value */ zend_uint refcount__gc; zend_uchar type; /* active type */ zend_uchar is_ref__gc; };
Then look at zvalue_value:
The code is as follows Copy code
typedef union _zvalue_value { long lval; /* long value */ double dval; /* double value */ struct { char *val; int len; } str; HashTable *ht; /* hash table value */ zend_object_value obj; } zvalue_value;


zvalue_value is a union, so the memory of the string area we construct will be treated as a Hashtable structure:

uint nTableMask;
The code is as follows
 代码如下 复制代码

typedef struct _hashtable {

    uint nTableSize;

    uint nTableMask;

    uint nNumOfElements;

    ulong nNextFreeElement;

    Bucket *pInternalPointer; /* Used for element traversal */

    Bucket *pListHead;

    Bucket *pListTail;

    Bucket **arBuckets;

    dtor_func_t pDestructor; //注意这个

    zend_bool persistent;

    unsigned char nApplyCount;

    zend_bool bApplyProtection;

#if ZEND_DEBUG

    int inconsistent;

#endif

} HashTable;

Copy code


typedef struct _hashtable {

uint nTableSize;
uint nNumOfElements;

ulong nNextFreeElement; Bucket *pInternalPointer; /* Used for element traversal */ Bucket *pListHead; Bucket *pListTail; Bucket **arBuckets; dtor_func_t pDestructor; //Pay attention to this zend_bool persistent;
unsigned char nApplyCount;
zend_bool bApplyProtection;
#if ZEND_DEBUG int inconsistent; #endif } HashTable;
  • In the Hashtable structure, there is a pDestructor. This pointer points to a function. When there are elements in the Hashtable that need to be cleared, it will be called... In other words, you can set an address (pDestructor) as you like, and then let PHP call it (inducing an element to be deleted). http://www.bkjia.com/PHPjc/629666.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629666.htmlTechArticleDo you still remember the PHP Hash Collisions Ddos vulnerability I mentioned before? At the beginning, the repair plan provided by the development team , what is used is that if max_input_vars is exceeded, an error (E_ERROR) will be reported, which will lead to P...
  • Statement
    The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
    How can you protect against Cross-Site Scripting (XSS) attacks related to sessions?How can you protect against Cross-Site Scripting (XSS) attacks related to sessions?Apr 23, 2025 am 12:16 AM

    To protect the application from session-related XSS attacks, the following measures are required: 1. Set the HttpOnly and Secure flags to protect the session cookies. 2. Export codes for all user inputs. 3. Implement content security policy (CSP) to limit script sources. Through these policies, session-related XSS attacks can be effectively protected and user data can be ensured.

    How can you optimize PHP session performance?How can you optimize PHP session performance?Apr 23, 2025 am 12:13 AM

    Methods to optimize PHP session performance include: 1. Delay session start, 2. Use database to store sessions, 3. Compress session data, 4. Manage session life cycle, and 5. Implement session sharing. These strategies can significantly improve the efficiency of applications in high concurrency environments.

    What is the session.gc_maxlifetime configuration setting?What is the session.gc_maxlifetime configuration setting?Apr 23, 2025 am 12:10 AM

    Thesession.gc_maxlifetimesettinginPHPdeterminesthelifespanofsessiondata,setinseconds.1)It'sconfiguredinphp.iniorviaini_set().2)Abalanceisneededtoavoidperformanceissuesandunexpectedlogouts.3)PHP'sgarbagecollectionisprobabilistic,influencedbygc_probabi

    How do you configure the session name in PHP?How do you configure the session name in PHP?Apr 23, 2025 am 12:08 AM

    In PHP, you can use the session_name() function to configure the session name. The specific steps are as follows: 1. Use the session_name() function to set the session name, such as session_name("my_session"). 2. After setting the session name, call session_start() to start the session. Configuring session names can avoid session data conflicts between multiple applications and enhance security, but pay attention to the uniqueness, security, length and setting timing of session names.

    How often should you regenerate session IDs?How often should you regenerate session IDs?Apr 23, 2025 am 12:03 AM

    The session ID should be regenerated regularly at login, before sensitive operations, and every 30 minutes. 1. Regenerate the session ID when logging in to prevent session fixed attacks. 2. Regenerate before sensitive operations to improve safety. 3. Regular regeneration reduces long-term utilization risks, but the user experience needs to be weighed.

    How do you set the session cookie parameters in PHP?How do you set the session cookie parameters in PHP?Apr 22, 2025 pm 05:33 PM

    Setting session cookie parameters in PHP can be achieved through the session_set_cookie_params() function. 1) Use this function to set parameters, such as expiration time, path, domain name, security flag, etc.; 2) Call session_start() to make the parameters take effect; 3) Dynamically adjust parameters according to needs, such as user login status; 4) Pay attention to setting secure and httponly flags to improve security.

    What is the main purpose of using sessions in PHP?What is the main purpose of using sessions in PHP?Apr 22, 2025 pm 05:25 PM

    The main purpose of using sessions in PHP is to maintain the status of the user between different pages. 1) The session is started through the session_start() function, creating a unique session ID and storing it in the user cookie. 2) Session data is saved on the server, allowing data to be passed between different requests, such as login status and shopping cart content.

    How can you share sessions across subdomains?How can you share sessions across subdomains?Apr 22, 2025 pm 05:21 PM

    How to share a session between subdomains? Implemented by setting session cookies for common domain names. 1. Set the domain of the session cookie to .example.com on the server side. 2. Choose the appropriate session storage method, such as memory, database or distributed cache. 3. Pass the session ID through cookies, and the server retrieves and updates the session data based on the ID.

    See all articles

    Hot AI Tools

    Undresser.AI Undress

    Undresser.AI Undress

    AI-powered app for creating realistic nude photos

    AI Clothes Remover

    AI Clothes Remover

    Online AI tool for removing clothes from photos.

    Undress AI Tool

    Undress AI Tool

    Undress images for free

    Clothoff.io

    Clothoff.io

    AI clothes remover

    Video Face Swap

    Video Face Swap

    Swap faces in any video effortlessly with our completely free AI face swap tool!

    Hot Tools

    mPDF

    mPDF

    mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),

    SublimeText3 English version

    SublimeText3 English version

    Recommended: Win version, supports code prompts!

    WebStorm Mac version

    WebStorm Mac version

    Useful JavaScript development tools

    SublimeText3 Mac version

    SublimeText3 Mac version

    God-level code editing software (SublimeText3)

    SublimeText3 Linux new version

    SublimeText3 Linux new version

    SublimeText3 Linux latest version