Thread-topic: Advisory 13/2006: PHP HTML Entity Encoder Heap Overflow Vulnerability
> -----Original Message-----
> From: Stefan Esser [mailto:sesser@xxxxxxxxxxxxxxxx]
> Sent: Friday, November 03, 2006 1:13 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
> Cc: red@xxxxxxxxx
> Subject: Advisory 13/2006: PHP HTML Entity Encoder Heap
> Overflow Vulnerability
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hardened-PHP Project
> www.hardened-php.net
>
> -= Security Advisory =-
>
>
> Advisory: PHP HTML Entity Encoder Heap Overflow Vulnerability
> Release Date: 2006/11/03
> Last Modified: 2006/11/03
> Author: Stefan Esser [sesser@xxxxxxxxxxxxxxxx]
>
> Application: PHP 5 <= 5.1.6, PHP 4 <= 4.4.4
> Severity: Bufferoverflows in htmlentities() and
> htmlspecialchars() may result in arbitrary
> remote code execution
> Risk: Critical
> Vendor Status: Vendor has released PHP 5.2.0 which fixes this issue
> References:
>
>
> Overview:
>
> Quote from
> "PHP is a widely-used general-purpose scripting language that
> is especially suited for Web development and can be embedded
> into HTML."
>
> While we were searching for a hole in htmlspecialchars() and
> htmlentities() to bypass the encoding of certain chars to exploit
> a possible eval() injection hole in another application we
> discovered that the implementation contains a possible
> bufferoverflow that can be triggered when the UTF-8 charset
> is selected.
>
> Unfortunately the whole purpose of both functions is to prepare
> userinput for HTML output. Therefore they are used in most PHP
> applications as protection against XSS and are always exposed
> to userinput.
>
> By triggering the overflow it is possible to overwrite heap
> management structures with a limited charset. This can result in
> remote code execution. Exploitability has been proven against
> for example Linux with glibc 2.3 in a test environment. It
> depends on the heap layout, the OS heap implementation and the
> used Zend Memory Manager.
>
>
> Details:
>
> The HTML entity encoder of PHP will increase the size of it's
> output buffer every time it reaches the end of the current buffer.
> Unfortunately the check assumes that the maximum length of an
> HTML entity is 8 chars, which is true for most entities. However
> especially the Greek character set contains entities that are
> longer than 8 chars. Because of this it is for example possible
> to trigger the overflow by embedding Greek theta UTF-8 characters
> into the input string.
>
> Because the longest HTML entity currently supported is 10 bytes
> long this allows overflowing the buffer with the 2 bytes ';' and
> '\0'. When exploiting heap overflows it can be enough to just
> overwrite the appending memory structure with a single '\0' char
> and control the content of the following memory block to execute
> arbitrary code.
>
> While the above Greek character exploit is only possible in the
> htmlentities() function it is also possible to overwrite with up
> to 7 chars by embedding broken UTF-8 characters into the string.
> The characters may come from the limited charset 0x00, 0xc0-0xfd.
>
> On Linux glibc systems this is for example enough to trick realloc
> into believing that the next memory block is empty and long enough
> to store the additional 128 bytes. The position of the buffer is
> therefore not changed and following writes to the output buffer
> will overwrite the Zend Memory Manager structure of the following
> block. This allows the typical linked list unlink exploit against
> the Zend Memory Manager.
>
>
> Proof of Concept:
>
> The Hardened-PHP Project is not going to release a proof
> of concept
> exploit for this vulnerability.
>
>
> Disclosure Timeline:
>
> 31. October 2006 - Notified security@xxxxxxx, patch in CVS
> 01. November 2006 - Notified vendor-sec
> 03. November 2006 - PHP developers released PHP 5.2.0
> 03. November 2006 - Public Disclosure
>
>
> Recommendation:
>
> For PHP 4 users it is strongly recommended to patch their
> version of
> PHP with the following patch until php.net is providing
> PHP4 updates.
>
>
>
> .63.2.23.2.2&r2=1.63.2.23.2.3&view=patch
>
> As usual we very strongly recommend that you install Suhosin-Patch
> and the Suhosin Extension, because once again this advisory proved
> that remotely triggerable overflows in PHP still exist. It is
> therefore highly recommended by us to use Suhosin-Patch. It's
> canary protection will detect overflows and stop execution to
> make exploitation very hard or impossible.
>
> FreeBSD and OpenBSD's PHP ports already come with Suhosin-Patch
> activated by default.
>
> Grab your copy and more information at:
>
>
>
>
> CVE Information:
>
> The Common Vulnerabilities and Exposures project
> (cve.mitre.org) has
> assigned the name CVE-2006-5465 to this vulnerability.
>
>
> GPG-Key:
>
>
>
> pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
> Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC
> 0A86 4AA1
>
>
> Copyright 2006 Stefan Esser. All rights reserved.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
>
> iD8DBQFFSnmgRDkUzAqGSqERAksrAJsHlMJD90XU9KtiFI6PpyLddaZ2wQCgpR++
> VRAQBzFoGx5SJemSTgxKTaI=
> =6OY5
> -----END PGP SIGNATURE-----
>
>
