From owner-freebsd-ports@FreeBSD.ORG Tue Jun 12 17:40:04 2012 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F8A61065675 for ; Tue, 12 Jun 2012 17:40:04 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 36C728FC18 for ; Tue, 12 Jun 2012 17:40:02 +0000 (UTC) Received: by yhgm50 with SMTP id m50so4211154yhg.13 for ; Tue, 12 Jun 2012 10:40:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition:content-transfer-encoding; bh=VcbCFsi6Tu0ycc4zcVPiJB/ios3RtJgDRtB138bId8s=; b=fYp4Z9tNkz8nUmkbt89kvgTKj17VRqLVVhe91RZ+FiF9LE5+DSdk87BaiJWq5lSfAl 7Rzk1HkneiFmH48PmjomS1Qa4m+16Yuifg5Pslr8eqEbZg3x94BPnsAxOzMwDtwL8lbv HUTSCRTqW3kqnKFqsPk59KEfIiWGAFbdFh4DM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition:content-transfer-encoding:x-gm-message-state; bh=VcbCFsi6Tu0ycc4zcVPiJB/ios3RtJgDRtB138bId8s=; b=C5zPcaXwzbRYZnQWdTTtJ+feewv45CqbUO4wFdGHJnLogoy5eGkGAJzci1RLi8HWxn O8lGndYMdTeROOeQ611gRTffyWWjXxOk/VAm/xjjbcC2gMP/D4fm5egU5w+eap9IRK3R 74WC8CN2Y8hCPC2ZD6fSSgx8voecGJRZOtqX1VylcP1n7dokBF3B7bRhRz44wce/ahH5 3A2KsZG22dUr7z3CG5+fVR0lO0cOcqLsZdDxP8L80h+ifGTf4qhILd7SgvoKIEWt0pBi Hscn992J7x/1/mWlNuem1XfSYO5vjE/DTRH1UWxx/rgemMWrEbhte2V23RkysGPv6+2S j5DA== Received: by 10.101.131.14 with SMTP id i14mr8700399ann.44.1339522802077; Tue, 12 Jun 2012 10:40:02 -0700 (PDT) Received: from DataIX.net (75-128-120-86.dhcp.aldl.mi.charter.com. [75.128.120.86]) by mx.google.com with ESMTPS id z19sm23632anh.22.2012.06.12.10.40.00 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 12 Jun 2012 10:40:01 -0700 (PDT) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q5CHdxcw087908 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 12 Jun 2012 13:39:59 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Received: (from jh@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q5CHdxUm087907; Tue, 12 Jun 2012 13:39:59 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Date: Tue, 12 Jun 2012 13:39:58 -0400 From: Jason Hellenthal To: freebsd-security@freebsd.org Message-ID: <20120612173958.GA78172@DataIX.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit X-Gm-Message-State: ALoCoQmTyRXwd+uH8svcioqPupysxPy1qj8sb964RxbCHUBoYgq2TRmuFqcEAUgVcFwgCPJa8TrF Cc: freebsd-ports@freebsd.org Subject: [0x721427d8@gmail.com: [php<=5.4.3] Parsing Bug in PHP PDO prepared statements may lead to access violation] X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jun 2012 17:40:04 -0000 FYI I verified this on a working system. ----- Forwarded message from 0x721427D8 0x721427D8 <0x721427d8@gmail.com> ----- Date: Sun, 10 Jun 2012 15:02:43 +0200 From: 0x721427D8 0x721427D8 <0x721427d8@gmail.com> To: bugtraq@securityfocus.com Subject: [php<=5.4.3] Parsing Bug in PHP PDO prepared statements may lead to access violation [php<=5.4.3] Parsing Bug in PHP PDO prepared statements may lead to access violation Affected Product:     PHP Affected Component:   PDO - PHP Data Objects Affected Versions:    <=5.4.3 (latest version and trunk) PHP Bug Ref:          #61755 Patch:                bug61755.diff Discovery Date:       Feb 2012 Advisory Date:        2012-06-10 Description: ------------ Inconsistent parsing of PHP PDO prepared statements. Erroneous design of parsers state machine. Under special circumstances parsing of prepared statements does not stop leading in cycling the whole stack without terminating on \0. This leads to access violations, accessing of stack data, DoS. Bug Description: ---------------- There are several design errors in the state-machine responsible for parsing PHP PDO based statement objects. These errors are based on the state-machines inability to consistently check the supplied SQL-Query. Under special circumstances an attacker is able to force the responsible PDO code to iterate beyond the termination of the supplied query string resulting in a buffer out of bounds access. This access may lead to uncontrollable as well as attacker controllable behavior and Access Violations caused by the code iterating the whole stack and trying to access addresses beyond the stack end. In very unlikely and constructed environments it may also be possible to force parameter rebinding of prepared statements - even though some context specific input filtering is applied - by utilizing the stack cycling behavior of the state machine. This can be accomplished by 1) pushing a manipulated SQL string containing fake parameter bindings (:named:, ?) onto the stack (e.g. using post variables) 2) manipulating the main SQL query string (see preconditions) to make the pdo_parser cycle the stack 3) until it cycles into the fake query previously pushed to stack where the magic happens. This forces the state machine into cycling into random stack data and then into the previously pushed manipulated SQL string with fake parameter bindings. To finalize this attack the manipulated SQL string then terminates the SQL parsing resulting in rebinding of prepared parameters. The attacker needs to know the original binding names (for named parameters) and the number of bound params for this attack to succeed. This scenario is unlikely to occur but as usual in computer security this may be used in conjunction with other attacks to multiply the impact. Preconditions: -------------- * PDO is used to access the DB * For remote attacks: User must be able to directly control any part of the query string prior its preparation (stm->prepare()). We are well aware that this is a general coding fault which leads to other security relevant implications but sadly enough it’s also quite common in many frameworks, projects to use prepared statements with user controlled data instead of binding them after preparation. State-Machine Graph, Test-Scripts, Traces, PoCs are available. Vendor Response: ---------------- * Patch 2012-04-19 (bug61755.diff) (see php bugref) Patch available, but still not fixed in 5.4.3 (latest) Timeline: --------- * 2012 Feb   - Discovered in 5.3.8, verified for 5.3.0/5.3.10 and 5.4.0 * 2012 March - Responsible Disclosure via SSD/BeyondSecurity * 2012 April - Patch available 2012-04-19 * 2012 May/June - No trace of bugfix in svn for 5.3/5.4/trunk although mentioned in bugref #61755 * 2012 June  - No trace of bugfix in svn for 5.3/5.4/trunk, code ... * 2012 June  - public disclosure CREDITS: -------- Discovered by 0x721427D8 via BeyondSecurity - SecuriTeam Secure Disclosure Refs: ----- http://php.net/ http://www.php.net/manual/en/intro.pdo.php http://svn.php.net/viewvc/php/php-src/trunk/ext/pdo/ http://www.securiteam.com/ ----- End forwarded message ----- -- - (2^(N-1))