OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-disclosure] Advisory 13/2006: PHP HTML Entity Encoder Heap Overflow Vulnerability

From: Stefan Esser (sesserhardened-php.net)
Date: Thu Nov 02 2006 - 16:12:41 CST


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security Advisory =-

     Advisory: PHP HTML Entity Encoder Heap Overflow Vulnerability
 Release Date: 2006/11/03
Last Modified: 2006/11/03
       Author: Stefan Esser [sesserhardened-php.net]

  Application: PHP 5 <= 5.1.6, PHP 4 <= 4.4.4
     Severity: Bufferoverflows in htmlentities() and
               htmlspecialchars() may result in arbitrary
               remote code execution
         Risk: Critical
Vendor Status: Vendor has released PHP 5.2.0 which fixes this issue
   References: http://www.hardened-php.net/advisory_132006.138.html

Overview:

   Quote from http://www.php.net
   "PHP is a widely-used general-purpose scripting language that
    is especially suited for Web development and can be embedded
    into HTML."
    
   While we were searching for a hole in htmlspecialchars() and
   htmlentities() to bypass the encoding of certain chars to exploit
   a possible eval() injection hole in another application we
   discovered that the implementation contains a possible
   bufferoverflow that can be triggered when the UTF-8 charset
   is selected.
   
   Unfortunately the whole purpose of both functions is to prepare
   userinput for HTML output. Therefore they are used in most PHP
   applications as protection against XSS and are always exposed
   to userinput.
   
   By triggering the overflow it is possible to overwrite heap
   management structures with a limited charset. This can result in
   remote code execution. Exploitability has been proven against
   for example Linux with glibc 2.3 in a test environment. It
   depends on the heap layout, the OS heap implementation and the
   used Zend Memory Manager.

Details:

   The HTML entity encoder of PHP will increase the size of it's
   output buffer every time it reaches the end of the current buffer.
   Unfortunately the check assumes that the maximum length of an
   HTML entity is 8 chars, which is true for most entities. However
   especially the Greek character set contains entities that are
   longer than 8 chars. Because of this it is for example possible
   to trigger the overflow by embedding Greek theta UTF-8 characters
   into the input string.
   
   Because the longest HTML entity currently supported is 10 bytes
   long this allows overflowing the buffer with the 2 bytes ';' and
   '\0'. When exploiting heap overflows it can be enough to just
   overwrite the appending memory structure with a single '\0' char
   and control the content of the following memory block to execute
   arbitrary code.
   
   While the above Greek character exploit is only possible in the
   htmlentities() function it is also possible to overwrite with up
   to 7 chars by embedding broken UTF-8 characters into the string.
   The characters may come from the limited charset 0x00, 0xc0-0xfd.
   
   On Linux glibc systems this is for example enough to trick realloc
   into believing that the next memory block is empty and long enough
   to store the additional 128 bytes. The position of the buffer is
   therefore not changed and following writes to the output buffer
   will overwrite the Zend Memory Manager structure of the following
   block. This allows the typical linked list unlink exploit against
   the Zend Memory Manager.

Proof of Concept:

   The Hardened-PHP Project is not going to release a proof of concept
   exploit for this vulnerability.

Disclosure Timeline:

   31. October 2006 - Notified securityphp.net, patch in CVS
   01. November 2006 - Notified vendor-sec
   03. November 2006 - PHP developers released PHP 5.2.0
   03. November 2006 - Public Disclosure

Recommendation:

   For PHP 4 users it is strongly recommended to patch their version of
   PHP with the following patch until php.net is providing PHP4 updates.

   http://cvs.php.net/viewvc.cgi/php-src/ext/standard/html.c?r1=1.63.2.23.2.2&r2=1.63.2.23.2.3&view=patch
 
   As usual we very strongly recommend that you install Suhosin-Patch
   and the Suhosin Extension, because once again this advisory proved
   that remotely triggerable overflows in PHP still exist. It is
   therefore highly recommended by us to use Suhosin-Patch. It's
   canary protection will detect overflows and stop execution to
   make exploitation very hard or impossible.
   
   FreeBSD and OpenBSD's PHP ports already come with Suhosin-Patch
   activated by default.
   
   Grab your copy and more information at:
   
   http://www.hardened-php.net/suhosin/index.html

CVE Information:

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the name CVE-2006-5465 to this vulnerability.
               

GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

Copyright 2006 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFSnmgRDkUzAqGSqERAksrAJsHlMJD90XU9KtiFI6PpyLddaZ2wQCgpR++
VRAQBzFoGx5SJemSTgxKTaI=
=6OY5
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/