PHP 5 infoleak vulnerability leading to potential SSL key disclosure

Bug #1338170 reported by Loganaden Velvindron on 2014-07-05
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
Undecided
Marc Deslauriers
Lucid
Undecided
Marc Deslauriers
Precise
Undecided
Marc Deslauriers
Saucy
Undecided
Marc Deslauriers
Trusty
Undecided
Marc Deslauriers
Utopic
Undecided
Marc Deslauriers

Bug Description

https://bugs.php.net/bug.php?id=67498

Description:
------------
Hey,

I recently discovered an easy to exploit arbitrary information leak
vulnerability in PHP. The information leak can be exploited by setting
PHP_SELF, PHP_AUTH_TYPE, PHP_AUTH_USER or PHP_AUTH_PW to non-string
variables before calling phpinfo().

When you look at the code from /ext/standard/info.c you will see that
the code simply trusts that the returned ZVALs are of type STRING. If
there are however integers the code will interpret the integer as a in
memory pointer and print out the binary string at that position.

        php_info_print_table_start();
        php_info_print_table_header(2, "Variable", "Value");
        if (zend_hash_find(&EG(symbol_table), "PHP_SELF",
sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
            php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
        }
        if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE",
sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
            php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
        }
        if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER",
sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
            php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
        }
        if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW",
sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
            php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
        }

I have attached a patch to fix this problem and the demo exploit used to
create the following output.
(As you can see there are a bunch of 0x20 in the output that should
actually be 0x00. I believe this is due to a bug in php_write() that
seems to write a space in case of an empty string??? But I did not
actually research this.)

$ vmmap $$ | grep _TEXT | grep libSystem
__TEXT 00007fff8da9f000-00007fff8daa1000 [ 8K]
r-x/r-x SM=COW /usr/lib/libSystem.B.dylib
$ php phpinfo_infoleak_512.php 0x7fff8da9f000
Heapdump
---------

00000000: cf fa ed fe 07 00 20 01 03 00 20 20 06 00 20 20 ...... ... ..
00000010: 2a 00 20 20 c0 0c 00 20 b5 00 20 80 00 20 20 20 *. ... .. ..
00000020: 19 00 20 20 d8 01 00 20 5f 5f 54 45 58 54 00 20 .. ... __TEXT.
00000030: 20 20 20 20 20 20 20 20 20 90 de 84 ff 7f 00 20 .....
00000040: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00000050: 20 20 20 20 20 20 20 20 07 00 20 20 05 00 20 20 .. ..
00000060: 05 00 20 20 20 20 20 20 5f 5f 74 65 78 74 00 20 .. __text.
00000070: 20 20 20 20 20 20 20 20 5f 5f 54 45 58 54 00 20 __TEXT.
00000080: 20 20 20 20 20 20 20 20 1a aa de 84 ff 7f 00 20 ......
00000090: a4 01 00 20 20 20 20 20 1a 1a 00 20 20 20 20 20 ... ...
000000a0: 20 20 20 20 20 20 20 20 20 04 00 80 00 20 20 20 ....
000000b0: 20 20 20 20 20 20 20 20 5f 5f 73 74 75 62 73 00 __stubs.
000000c0: 20 20 20 20 20 20 20 20 5f 5f 54 45 58 54 00 20 __TEXT.
000000d0: 20 20 20 20 20 20 20 20 be ab de 84 ff 7f 00 20 ......
000000e0: 56 01 00 20 20 20 20 20 be 1b 00 20 01 00 20 20 V.. ... ..
000000f0: 20 20 20 20 20 20 20 20 08 04 00 80 00 20 20 20 .....
00000100: 06 00 20 20 20 20 20 20 5f 5f 73 74 75 62 5f 68 .. __stub_h
00000110: 65 6c 70 65 72 00 20 20 5f 5f 54 45 58 54 00 20 elper. __TEXT.
00000120: 20 20 20 20 20 20 20 20 14 ad de 84 ff 7f 00 20 ......
00000130: 4a 02 00 20 20 20 20 20 14 1d 00 20 02 00 20 20 J.. ... ..
00000140: 20 20 20 20 20 20 20 20 20 04 00 80 00 20 20 20 ....
00000150: 20 20 20 20 20 20 20 20 5f 5f 63 6f 6e 73 74 00 __const.
00000160: 20 20 20 20 20 20 20 20 5f 5f 54 45 58 54 00 20 __TEXT.
00000170: 20 20 20 20 20 20 20 20 60 af de 84 ff 7f 00 20 `.....
00000180: 40 00 20 20 20 20 20 20 60 1f 00 20 04 00 20 20 @. `.. ..
00000190: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
000001a0: 20 20 20 20 20 20 20 20 5f 5f 75 6e 77 69 6e 64 __unwind
000001b0: 5f 69 6e 66 6f 00 20 20 5f 5f 54 45 58 54 00 20 _info. __TEXT.
000001c0: 20 20 20 20 20 20 20 20 a0 af de 84 ff 7f 00 20 ......
000001d0: 58 00 20 20 20 20 20 20 a0 1f 00 20 20 20 20 20 X. ...
000001e0: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
000001f0: 20 20 20 20 20 20 20 20 19 00 20 20 28 02 00 20 .. (..

Because this is only exploitable in case these variables are overwritten
as integers, which is less likely in a remote context this has to be
mostly considered a local information leak only. However if you are
running as mod_php and there is mod_ssl this could be used to steal the
private SSL key from memory (if you can inject PHP code).

Regards,
Stefan Esser

Loganaden Velvindron (u-logan) wrote :
information type: Private Security → Public Security
Changed in php5 (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in php5 (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in php5 (Ubuntu Saucy):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in php5 (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in php5 (Ubuntu Utopic):
assignee: nobody → Marc Deslauriers (mdeslaur)

The attachment "patch adapted from upstream fix" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.3.10-1ubuntu3.13

---------------
php5 (5.3.10-1ubuntu3.13) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector
    - debian/patches/CVE-2014-0207.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0207
  * SECURITY UPDATE: denial of service in FileInfo cdf_count_chain
    - debian/patches/CVE-2014-3480.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3480
  * SECURITY UPDATE: denial of service and possible code execution via
    unserialize() SPL type confusion
    - debian/patches/CVE-2014-3515.patch: properly check types in
      ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to
      ext/spl/tests/SplObjectStorage_unserialize_bad.phpt.
    - CVE-2014-3515
  * SECURITY UPDATE: denial of service via SPL Iterators use-after-free
    - debian/patches/CVE-2014-4670.patch: fix use-after-free in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt.
    - CVE-2014-4670
  * SECURITY UPDATE: denial of service via ArrayIterator use-after-free
    - debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject
      during sorting in ext/spl/spl_array.c, added test to
      ext/spl/tests/bug67539.phpt.
    - CVE-2014-4698
  * SECURITY UPDATE: information leak via phpinfo (LP: #1338170)
    - debian/patches/CVE-2014-4721.patch: fix type confusion in
      ext/standard/info.c, added test to
      ext/standard/tests/general_functions/bug67498.phpt.
    - CVE-2014-4721
 -- Marc Deslauriers <email address hidden> Mon, 07 Jul 2014 08:41:06 -0400

Changed in php5 (Ubuntu Precise):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.5.9+dfsg-1ubuntu4.3

---------------
php5 (5.5.9+dfsg-1ubuntu4.3) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector
    - debian/patches/CVE-2014-0207.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0207
  * SECURITY UPDATE: denial of service in FileInfo mconvert
    - debian/patches/CVE-2014-3478.patch: properly handle truncated pascal
      string size in ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-3478
  * SECURITY UPDATE: denial of service in FileInfo cdf_check_stream_offset
    - debian/patches/CVE-2014-3479.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3479
  * SECURITY UPDATE: denial of service in FileInfo cdf_count_chain
    - debian/patches/CVE-2014-3480.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3480
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3487.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3487
  * SECURITY UPDATE: denial of service and possible code execution via
    unserialize() SPL type confusion
    - debian/patches/CVE-2014-3515.patch: properly check types in
      ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to
      ext/spl/tests/SplObjectStorage_unserialize_bad.phpt.
    - CVE-2014-3515
  * SECURITY UPDATE: denial of service via SPL Iterators use-after-free
    - debian/patches/CVE-2014-4670.patch: fix use-after-free in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt.
    - CVE-2014-4670
  * SECURITY UPDATE: denial of service via ArrayIterator use-after-free
    - debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject
      during sorting in ext/spl/spl_array.c, added test to
      ext/spl/tests/bug67539.phpt.
    - CVE-2014-4698
  * SECURITY UPDATE: information leak via phpinfo (LP: #1338170)
    - debian/patches/CVE-2014-4721.patch: fix type confusion in
      ext/standard/info.c, added test to
      ext/standard/tests/general_functions/bug67498.phpt.
    - CVE-2014-4721
 -- Marc Deslauriers <email address hidden> Mon, 07 Jul 2014 07:44:21 -0400

Changed in php5 (Ubuntu Trusty):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.5.3+dfsg-1ubuntu2.6

---------------
php5 (5.5.3+dfsg-1ubuntu2.6) saucy-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector
    - debian/patches/CVE-2014-0207.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0207
  * SECURITY UPDATE: denial of service in FileInfo mconvert
    - debian/patches/CVE-2014-3478.patch: properly handle truncated pascal
      string size in ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-3478
  * SECURITY UPDATE: denial of service in FileInfo cdf_check_stream_offset
    - debian/patches/CVE-2014-3479.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3479
  * SECURITY UPDATE: denial of service in FileInfo cdf_count_chain
    - debian/patches/CVE-2014-3480.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3480
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3487.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3487
  * SECURITY UPDATE: denial of service and possible code execution via
    unserialize() SPL type confusion
    - debian/patches/CVE-2014-3515.patch: properly check types in
      ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to
      ext/spl/tests/SplObjectStorage_unserialize_bad.phpt.
    - CVE-2014-3515
  * SECURITY UPDATE: denial of service via SPL Iterators use-after-free
    - debian/patches/CVE-2014-4670.patch: fix use-after-free in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt.
    - CVE-2014-4670
  * SECURITY UPDATE: denial of service via ArrayIterator use-after-free
    - debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject
      during sorting in ext/spl/spl_array.c, added test to
      ext/spl/tests/bug67539.phpt.
    - CVE-2014-4698
  * SECURITY UPDATE: information leak via phpinfo (LP: #1338170)
    - debian/patches/CVE-2014-4721.patch: fix type confusion in
      ext/standard/info.c, added test to
      ext/standard/tests/general_functions/bug67498.phpt.
    - CVE-2014-4721
 -- Marc Deslauriers <email address hidden> Mon, 07 Jul 2014 07:46:31 -0400

Changed in php5 (Ubuntu Saucy):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.3.2-1ubuntu4.26

---------------
php5 (5.3.2-1ubuntu4.26) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector
    - debian/patches/CVE-2014-0207.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0207
  * SECURITY UPDATE: denial of service in FileInfo cdf_count_chain
    - debian/patches/CVE-2014-3480.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3480
  * SECURITY UPDATE: denial of service and possible code execution via
    unserialize() SPL type confusion
    - debian/patches/CVE-2014-3515.patch: properly check types in
      ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to
      ext/spl/tests/SplObjectStorage_unserialize_bad.phpt.
    - CVE-2014-3515
  * SECURITY UPDATE: denial of service via SPL Iterators use-after-free
    - debian/patches/CVE-2014-4670.patch: fix use-after-free in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt.
    - CVE-2014-4670
  * SECURITY UPDATE: denial of service via ArrayIterator use-after-free
    - debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject
      during sorting in ext/spl/spl_array.c, added test to
      ext/spl/tests/bug67539.phpt.
    - CVE-2014-4698
  * SECURITY UPDATE: information leak via phpinfo (LP: #1338170)
    - debian/patches/CVE-2014-4721.patch: fix type confusion in
      ext/standard/info.c, added test to
      ext/standard/tests/general_functions/bug67498.phpt.
    - CVE-2014-4721
 -- Marc Deslauriers <email address hidden> Tue, 08 Jul 2014 21:22:42 -0400

Changed in php5 (Ubuntu Lucid):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.5.12+dfsg-2ubuntu3

---------------
php5 (5.5.12+dfsg-2ubuntu3) utopic; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector
    - debian/patches/CVE-2014-0207.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0207
  * SECURITY UPDATE: denial of service in FileInfo mconvert
    - debian/patches/CVE-2014-3478.patch: properly handle truncated pascal
      string size in ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-3478
  * SECURITY UPDATE: denial of service in FileInfo cdf_check_stream_offset
    - debian/patches/CVE-2014-3479.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3479
  * SECURITY UPDATE: denial of service in FileInfo cdf_count_chain
    - debian/patches/CVE-2014-3480.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3480
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3487.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3487
  * SECURITY UPDATE: denial of service and possible code execution via
    unserialize() SPL type confusion
    - debian/patches/CVE-2014-3515.patch: properly check types in
      ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to
      ext/spl/tests/SplObjectStorage_unserialize_bad.phpt.
    - CVE-2014-3515
  * SECURITY UPDATE: denial of service via SPL Iterators use-after-free
    - debian/patches/CVE-2014-4670.patch: fix use-after-free in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt.
    - CVE-2014-4670
  * SECURITY UPDATE: denial of service via ArrayIterator use-after-free
    - debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject
      during sorting in ext/spl/spl_array.c, added test to
      ext/spl/tests/bug67539.phpt.
    - CVE-2014-4698
  * SECURITY UPDATE: information leak via phpinfo (LP: #1338170)
    - debian/patches/CVE-2014-4721.patch: fix type confusion in
      ext/standard/info.c, added test to
      ext/standard/tests/general_functions/bug67498.phpt.
    - CVE-2014-4721
 -- Marc Deslauriers <email address hidden> Wed, 09 Jul 2014 13:00:04 -0400

Changed in php5 (Ubuntu Utopic):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers