September 21, 2014

Eight Year Old PHP / Apache mod_cgi Vulnerability Disclosed

(LiveHacking.Com) – Due to a bug in PHP’s bug tracking system, a privately disclosed security vulnerability in the way PHP handles query string parameters when it is running in CGI mode, was marked as public. As a result the PHP project has released PHP 5.3.12 and PHP 5.4.2 to fix the problem, however there are reports that these releases are buggy and don’t fully resolve the problem.

The initial details of the generic PHP-CGI remote code execution bug were posted on the eindbazen.net website. They discovered that the query string ‘?-s’ results in the “-s” command line argument being passed to PHP, resulting in source code disclosure. Further investigation showed that the command-line switches -s, -d or -c are passed to the php-cgi binary, which can also be exploited to obtain arbitrary code execution.

To test if your site is vulnerable try the following:

http://www.yourdomain.com/index.php?-s

According to the release information: “A large number of sites run PHP as either an Apache module through mod_php or using php-fpm under nginx. Neither of these setups are vulnerable to this. Straight shebang-style CGI also does not appear to be vulnerable. If you are using Apache mod_cgi to run PHP you may be vulnerable.”

The official fix in PHP 5.3.12 and PHP 5.4.2 contain a bug which makes the fix trivial to bypass, it is therefore recommended that system admins mitigate this problem by adding the following Apache mod_rewrite rule:

RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]

The bug was originally discovered in January and was used to pwn the Nullcon Hackim 2012 scoreboard. The PHP team were contacted but after a couple of weeks little seemed to be happening. US-CERT was contacted who acknowledged the receipt of vulnerability in February. By May US-CERT notified eindbazen.net that the PHP team was testing a patch. However on May 3rd the bug reported was mistakenly marked as public and picked up on reddit /r/netsec /r/opensource and /r/technology. US-CERT have now published a Vulnerability Note.

It is anticipated that a new PHP update, with a revised fix, will be released soon.

Apple Releases Security Updates for OS X

(LiveHacking.Com) – Apple has released security updates for Apple OS X Lion 10.7 and Mac OS X Snow Leopard 10.6 to fix multiple vulnerabilities. These vulnerabilities could allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, and bypass security restrictions. The update is an amalgamation of recent security updates for several different components used by Apple (including Apache and PHP) along with fixes for Apple’s own code.

3rd Party

This release brings some of OS X’s third party components up to date including:

Apache: There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. Apache disabled the ‘empty fragment’ countermeasure which prevented these attacks. This issue is addressed by providing a configuration parameter to control the countermeasure and enabling it by default.

PHP is updated to version 5.3.8 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. However, it is worth noting that PHP 5.3.10 has since been released to fix the hash table collisions problem that affected all the popular Web programming languages (including PHP, ASP.NET, Ruby and Python).

SquirrelMail is updated to version 1.4.22 to address several vulnerabilities, the most serious of which is a cross-site scripting issue. This issue does not affect OS X Lion systems.

Tomcat is updated to version 6.0.33 to address multiple vulnerabilities, the most serious of which may lead to the disclosure of sensitive information. Tomcat is only provided on Mac OS X Server systems.

X11: A memory corruption issue existed in FreeType’s handling of Type 1 fonts. This issue is addressed by updating FreeType to version 2.4.7.

The update also revokes the trust for root certificates issued by DigiCert Malaysia. Two certificate authorities in the list of trusted root certificates have independently issued intermediate certificates to DigiCert Malaysia. Back in November it was discovered that DigiCert Malaysia had issued certificates with weak keys that it was unable to revoke.

Apple

Apple components that are updated include:

Address Book supports Secure Sockets Layer (SSL) for accessing CardDAV. A downgrade issue caused Address Book to attempt an unencrypted connection if an encrypted connection failed. An attacker in a privileged network position could abuse this behavior to intercept CardDAV data. This issue is addressed by not downgrading to an unencrypted connection without user approval.

CoreAudio: Playing maliciously crafted audio content may lead to an unexpected application termination or arbitrary code execution. A buffer overflow existed in the handling of AAC encoded audio streams.

CoreMedia: A heap buffer overflow existed in CoreMedia’s handling of H.264 encoded movie files.

QuickTime has been updated to resolve several issues including:

  • Opening a maliciously crafted MP4 encoded file may lead to an unexpected application termination or arbitrary code execution. An uninitialized memory access issue existed in the handling of MP4 encoded files.
  • Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. A signedness issue existed in the handling of font tables embedded in QuickTime movie files.
  • Viewing a maliciously crafted JPEG2000 image file may lead to an unexpected application termination or arbitrary code execution. A buffer overflow existed in the handling of JPEG2000 files.
  • Processing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution. A buffer overflow existed in the handling of PNG files.

Time Machine: The user may designate a remote AFP volume or Time Capsule to be used for Time Machine backups. Time Machine did not verify that the same device was being used for subsequent backup operations. An attacker who is able to spoof the remote volume could gain access to new backups created by the user’s system. This issue is addressed by verifying the unique identifier associated with a disk for backup operations.

PHP 5.3.10 Fixes Critical Security Vulnerability

(LiveHacking.Com) – The PHP development team have released PHP 5.3.10 to fix a recently discovered remote code execution vulnerability. The vulnerability is a result of the hash table collisions CPU usage denial-of-service fix which was added to 5.3.9. For that fix the maximum possible number of input parameters was limited to 1000, but because of a bug in the implementation a remote attacker could send a large number of specially crafted POST requests, which could crash PHP or allow arbitrary code execution.

PHP 5.3.9 was released just over two weeks ago with over 90 bug fixes, some of which were security related. Among them was a fix for the hash table collisions problem that affected all the popular Web programming languages (including PHP, ASP.NET, Ruby and Python). At the end of last year, Alexander Klink and Julian Wälde revealed that many programming languages use hash tables while parsing POST forms to make them easily accessible by application developers. The algorithmic complexity of inserting n elements into the table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request. So it is possible for an attacker to send a small number of specially crafted posts to a server, causing high CPU utilization and creating a denial of service condition. PHP 5.3.10 fixes the fix for the fix!

The new version of PHP can be downloaded  here and it is recommended that all users to upgrade to the new version. The different Linux distributions have started to update their repositories:

Microsoft First to Patch Universal Hash Table Collision Vulnerability with Out-of-band Update

(LiveHacking.Com) – Security Researchers have exposed a flaw in the way the popular Web programming languages (like PHP, ASP.NET and Python) handle hash table collisions resulting in huge CPU usage and a subsequent denial of service. The discoveries were announced yesterday (Wednesday) at the Chaos Communication Congress event in Germany. The flaw is industry-wide and affects many popular web technologies including PHP, ASP.NET, Java, Python, Ruby, Apache Tomcat, Apache Geronimo, Jetty, and Glassfish, as well as Google’s open source JavaScript engine V8.

Although hash collision denial-of-service attacks have been discussed since 2003, Alexander Klink and Julian Wälde have now shown that many programming languages use hash tables while parsing POST forms to make them easily accessible by application developers. And so it is possible for an attacker to send a small number of specially crafted posts to a server, causing high CPU utilization and creating a denial of service condition.

“If the language does not provide a randomized hash function or the application server does not recognize attacks using multi-collisions, an attacker can degenerate the hash table by sending lots of colliding keys. The algorithmic complexity of inserting n elements into the table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request” write the pair in their advisory.

Microsoft have been one of the first to respond to this issue with several announcements including  Security Advisory 2659883 and an advance notification for an out-of-band security update to address the issue. The release is scheduled for today, December 29, at approximately 10 a.m. PST.

According to Microsoft’s security advisory this vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers. For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100% of one CPU core for between 90 – 110 seconds. Tthe .NET Framework is vulnerable from version 1.0 right through to version 4.0.

Microsoft are rating this out-of-band bulletin as “Critical” and it is likely it will will release updates for

  • Microsoft .NET Framework 1.0 Service Pack 3 (Media Center Edition 2005 and Tablet PC Edition 2005 only)
  • Microsoft .NET Framework 1.1 Service Pack 1
  • Microsoft .NET Framework 2.0 Service Pack 2
  • Microsoft .NET Framework 3.5 Service Pack 1
  • Microsoft .NET Framework 3.5.1
  • Microsoft .NET Framework 4

For Windows XP, Server 2003, Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 across Intel 32 bit, Intel 64 bit and Itanium where applicable.

The Ruby Security Team has updated Ruby 1.8.7. The Ruby 1.9 series is not affected by this attack. Additional information can be found in the ruby 1.8.7 patchlevel 357 release notes.

More information regarding this vulnerability can be found in US-CERT Vulnerability NoteVU#903934 and n.runs Security Advisory n.runs-SA-2011.004.

PHP 5.3.8 Released With Fix for Crypt() Bug

A few days ago the PHP project released PHP5.3.7 with over 90 bug fixes – some of them security related. However it was quickly discovered that there should have been 91 bugs fixed in 5.3.7 as the crypt() function  wasn’t working correctly. If crypt() is executed with MD5 salts, the return value consists of the salt only. DES and BLOWFISH salts worked as expected.

Now PHP 5.3.8 has been released to remedy this. The only other change is a back peddle in some timeout handling, thus restoring the PHP 5.3.6 behavior, which caused mysqlnd SSL connections to hang.

For a full list of changes in PHP 5.3.8, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/.

One of the big security related changes in 5.3.7 was the update of crypt_blowfish to 1.2. For more details on the crypt_blowfish security changes as implemented in PHP 5.3.7+ see the crypt blowfish page.

PHP 5.3.7 Fixes Over 90 Bugs – Some Security Related (Updated)

Update: Due to unfortunate issues with 5.3.7 (see bug#55439) users should not upgrade to 5.3.7 but wait until 5.3.8 is released (it is expected in few days). According to the bug report: If crypt() is executed with MD5 salts, the return value consists of the salt only. DES and BLOWFISH salts work as expected.

(LiveHacking.Com) – The PHP development team has announced the immediate availability of PHP 5.3.7. This release focuses on improving the stability of the PHP 5.3.x branch with over 90 bug fixes, some of which are security related.

Security Enhancements and Fixes in PHP 5.3.7:

  • Updated crypt_blowfish to 1.2. (CVE-2011-2483)
  • Fixed crash in error_log(). Reported by Mateusz Kocielski
  • Fixed buffer overflow on overlog salt in crypt().
  • Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload filename). Reported by Krzysztof Kotowicz. (CVE-2011-2202)
  • Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938)
  • Fixed bug #54238 (use-after-free in substr_replace()). (CVE-2011-1148)

It is also worth noting that PHP 5.2 is no longer supported and users should  upgrade to PHP 5.3.7. The new release’s source code is available to download, as are Windows binaries. Linux and FreeBSD users should see updates from their distribution providers soon.

PHP 5.3.6 Released – Fixes Security Bugs and Upgrades Sqlite3

The PHP development team have released PHP 5.3.6. This maintenance release is designed to improve the stability of the PHP 5.3 series and includes over 60 bug fixes, at least six of which are security related.

According to the release announcement the security enhancements and fixes in PHP 5.3.6 include:

  • Enforce security in the fastcgi protocol parsing with fpm SAPI.
  • Fixed format-string vulnerability on Phar. See CVE-2011-1153
  • Fixed integer overflow in shmop_read(). See CVE-2011-1092
  • Fixed buffer overrun with high values for precision ini setting.
  • Fixed crash on crafted tag in exif. See CVE-2011-0708
  • Fixed ZipArchive segfault with FL_UNCHANGED on empty archive. See CVE-2011-0421

Some of these bugs could have allowed hackers to obtain sensitive information from process memory, cause a denial of service or possibly execute arbitrary code.

Key enhancements in PHP 5.3.6 include:

  • Upgraded bundled Sqlite3 to version 3.7.4.
  • Upgraded bundled PCRE to version 8.11.
  • Added ability to connect to HTTPS sites through proxy with basic authentication using stream_context/http/header/Proxy-Authorization.
  • Added options to debug backtrace functions.
  • Changed default value of ini directive serialize_precision from 100 to 17.
  • Over 60 other bug fixes.

The PHP development team recommend that all users upgrade to 5.3.6 and also remind users the PHP 5.2 is no longer supported.

IPFire 2.9 Core 47 Released – Updates PHP to Fix Floating-Point Bug

The IPFire project has announced an update to the open source firewall solution. IPFire 2.9 Core 47 is a bugfix release but does bring some minor feature updates. The biggest part of the update is a security patch for PHP. In January a bug was found in PHP when converting the number 2.2250738585072011e-308 from a string. The PHP team released an update and now this update has trickled down to the IPFire project.

Other changes in the Core 47 update include the ability to configure the VLAN IDs that are used for IGMP streaming, plus support for PPTP servers that require a host route for the dial-in connections.

IPFire is designed primarily to be a Stateful Packet Inspection (SPI) firewall but it can also be configured to act as a File Server, Mail Server or VPN gateway. Using a modular design IPFire runs exactly what you require and nothing more.

The hardware requirements for IPFire 2.9 are modest: an Intel Pentium I compatible CPU (i586), 128 MB RAM and 1GB of disk space. It can also run as a virtual machine using KVM, VMware and VirtualBox.

PHP Floating-Point bug Found and then Fixed

phpA bug has been found in the popular web site scripting language PHP which theoretically could be used in a DoS attack against a web site. The bug is related to the way PHP 5.2 and 5.3 convert largest double-precision floating-point numbers from strings. The number in question is 2.2250738585072011e-308 and if a script wants to convert this from a string the CPU goes into an infinite loop. This could theoretically be used to mount a denial of service attack on a web site and send the CPU into overdrive.

The problem is known to only affect x86 32-bit PHP processes, regardless of whether the system hosting PHP is 32-bit or 64-bit. This is because 32-bit PHP processes use the x87 FPU for doing the conversion where as 64-bit processes use SSE.

The PHP team saw this as a critical bug and have released versions 5.3.5 and 5.2.17 to tackle the problem. It is strongly recommended that you upgrade to the new versions.

For more details see on the bug see the PHP bug report here and news of the new releases here. You can test whether your system is affected by running this script from the command line.