catalog

. Description

. Analysis

1. Description

PHP is vulnerable to a remote denial of service, caused by repeatedly allocate memory、concatenate string、copy string and free memory when PHP parses header areas of body part of HTTP request with multipart/form-data. By sending multiple HTTP multipart requests to an affected application containing malicious header area of body part, a remote attacker could exploit this vulnerability to cause the consumption of CPU resources.
该漏洞利用PHP多次合并boundary里的参数,从而造成多次内存分配和拷贝,从而抢占CPU资源,造成性能下降。攻击者利用并发多包的方式,可以达到使目标系统拒绝服务的目的
HTTP协议中,multipart/form-data中可以包含多个报文,它们被合并在一个复杂报文中发送,每一个部分都是独立的,以':'分隔各自的参数和值,不同部分的报文通过分界字符串(boundary)连接在一起
PHP中实现了解析multipart/form-data协议的功能,在解析时,当出现一个不包含':'的行,且之前有一个有效键值对,则说明该行是上一个键值对里的值,PHP会将值拼接到上一个键值对里。在拼接的过程里,PHP进行了一次内存分配,两次内存复制,以及一次内存释放。当出现多个不包含':'的行时,PHP就会进行大量内存分配释放的操作,从而导致消耗CPU资源性能下降。短时间多次发送这类畸形请求将导致目标服务器DoS

Relevant Link:

http://www.chinaz.com/news/2015/0520/407861.shtml

https://portal.nsfocus.com/vulnerability/list/

2. Analysis

The vulnerable function is multipart_buffer_headers that is called internally by the function SAPI_POST_HANDLER_FUNC in main/rfc1867.c. SAPI_POST_HANDLER_FUNC is the entry-point function which parses body parts of HTTP request with multipart/form-data.
\php-src-master\main\rfc1867.c

SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */

{

    ..

    while (!multipart_buffer_eof(mbuff))

    {

        char buff[FILLUNIT];

        char *cd = NULL, *param = NULL, *filename = NULL, *tmp = NULL;

        size_t blen = , wlen = ;

        zend_off_t offset;

        zend_llist_clean(&header);

        if (!multipart_buffer_headers(mbuff, &header)) {

            goto fileupload_done;

        }

        ..

multipart_buffer_headers

/* parse headers */

static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header)

{

    char *line;

    mime_header_entry prev_entry = {}, entry;

    int prev_len, cur_len;

    /* didn't find boundary, abort */

    if (!find_boundary(self, self->boundary))

    {

        return ;

    }

    /* get lines of text, or CRLF_CRLF */

    //1. Step 1. The multipart_buffer_headers executes while loop cycle to parse current body part headers, if the boundary string was found.

    while( (line = get_line(self)) && line[] != '\0' )

    {

        /*

        2. When parseing current body part headers which is represented as (header, value),

        the multipart_buffer_headers function firstly call get_line function to read a line of characters, but get_line return a line when it meets character '\n', not '\r\n'.

        After getting a line which is stored in the variable 'line', the multipart_buffer_headers function parses the variable line.

        /* add header to table

        PHP每次读取HTTP body header中的一行

        */

        char *key = line;

        char *value = NULL;

        if (php_rfc1867_encoding_translation())

        {

            self->input_encoding = zend_multibyte_encoding_detector((const unsigned char *) line, strlen(line), self->detect_order, self->detect_order_size);

        }

        /* space in the beginning means same header */

        if (!isspace(line[]))

        {

            //寻找":"作为key-value的分界符

            value = strchr(line, ':');

        }

        if (value)

        {

            *value = ;

            do { value++; } while(isspace(*value));

            entry.value = estrdup(value);

            entry.key = estrdup(key);

        }

        //3. And then, it calls zend_llist_add_element function to store entry

        else if (zend_llist_count(header))

        {

            /* If no ':' on the line, add to previous line */

            /*

            4. In this step, the multipart_buffer_headers function thinks current line is not a new header,

            and current line should be append to value of prev_entry. Thus, prev_entry and current line merge into a new entry by executing the following codes:

            */

            prev_len = (int)strlen(prev_entry.value);

            cur_len = (int)strlen(line);

            entry.value = emalloc(prev_len + cur_len + );

            memcpy(entry.value, prev_entry.value, prev_len);

            memcpy(entry.value + prev_len, line, cur_len);

            entry.value[cur_len + prev_len] = '\0';

            entry.key = estrdup(prev_entry.key);

            //// free memory

            zend_llist_remove_tail(header);

        } else {

            continue;

        }

        zend_llist_add_element(header, &entry);

        prev_entry = entry;

    }

    return ;

}

0x1: The Remote Denial of Service Vulnerability 

. If value of body part header consists of n lines

. and first character of each line is not blank character

. and each line did constains character ':'

当满足以上条件时,multipart_buffer_headers函数会不断进行内存申请、参数解析尝试、并尝试将当前行解析出的参数归并入前一个参数键、并释放当前申请内存块

. executes string copy operation twice, frees memory once.

. Each time mergence of entry.value increase length of body part header's value. 每次申请的内存在不断扩大

. thus string copy operations will cause the consumption of CPU resources, and then the service is not available.

//If n is the length of body part header's value, and copying one byte is the unit time complexity,the time complexity of multipart_buffer_headers function is O(n*m)

0x2: example

------WebKitFormBoundarypE33TmSNWwsMphqz

Content-Disposition: form-data; name="file"; filename="s

a

a

a

a"

Content-Type: application/octet-stream 

<?php phpinfo();?>

------WebKitFormBoundarypE33TmSNWwsMphqz

The value of Content-Disposition consists of 5 lines, and the length of the value of Content-Disposition is 5. The multipart_buffer_headers function executes Step 2.3(内存申请、字符串复制、内存释放) 4 times

. The first time execution copys  bytes

. The second execution copys  bytes

. The third time execution copys  bytes

. The fourth time execution copys  bytes

. Thus, the multipart_buffer_headers function executes  times byte copy operation.

Default maximum size of body part is 2097152 bytes (2M), It is enough to cause the consumption of CPU resources by sending multiple HTTP multipart requests to an affected application containing malicious header area of body part.

Relevant Link:

https://bugs.php.net/bug.php?id=69364

Copyright (c) 2015 LittleHann All rights reserved

PHP Multipart/form-data remote dos Vulnerability的更多相关文章

  1. html5 file upload and form data by ajax

    html5 file upload and form data by ajax 最近接了一个小活,在短时间内实现一个活动报名页面,其中遇到了文件上传. 我预期的效果是一次ajax post请求,然后在 ...

  2. Sending forms through JavaScript[form提交 form data]

    https://developer.mozilla.org/en-US/docs/Learn/HTML/Forms/Sending_forms_through_JavaScript As in the ...

  3. form data和request payload的区别

    HTML <form> 标签的 enctype 属性 在下面的例子中,表单数据会在未编码的情况下进行发送: <form action="form_action.asp&qu ...

  4. Web 前沿——HTML5 Form Data 对象的使用

    XMLHttpRequest Level 2 添加了一个新的接口——FormData.利用 FormData 对象,我们可以通过 JavaScript 用一些键值对来模拟一系列表单控件,我们还可以使用 ...

  5. HTTP请求中的form data和request payload的区别

    HTML <form> 标签的 enctype 属性 在下面的例子中,表单数据会在未编码的情况下进行发送: <form action="form_action.asp&qu ...

  6. [整理]Ajax Post请求下的Form Data和Request Payload

    Ajax Post请求下的Form Data和Request Payload 通常情况下,我们通过Post提交表单,以键值对的形式存储在请求体中.此时的reqeuest headers会有Conten ...

  7. AJAX POST请求中参数以form data和request payload形式在servlet中的获取方式

    转载:http://blog.csdn.net/mhmyqn/article/details/25561535 HTTP请求中,如果是get请求,那么表单参数以name=value&name1 ...

  8. Sending HTML Form Data

    public Task<HttpResponseMessage> PostFormData(){ // Check if the request contains multipart/fo ...

  9. AJAX POST请求中參数以form data和request payload形式在servlet中的获取方式

    HTTP请求中,假设是get请求,那么表单參数以name=value&name1=value1的形式附到url的后面,假设是post请求,那么表单參数是在请求体中,也是以name=value& ...

随机推荐

  1. java:使用匿名类直接new接口

    java中的匿名类有一个倍儿神奇的用法,见下面代码示例: package contract; public interface ISay { void sayHello(); } 上面是一个简单的接口 ...

  2. ROS(Robot Operating System)常用环境变量介绍

    本文简单介绍ROS系统中常用的环境变量用途及设置方式.ROS系统环境中除了必须配置的环境变量以外,其他的也是十分有用,通过修改变量路径,可以设置ROS系统中log文件存放路径,单元测试结果存放路径等. ...

  3. PhoneGap: Android 自定义组件

    Hello Core Demo Plugin Development(组件部署): http://docs.phonegap.com/en/2.0.0/guide_plugin-development ...

  4. 如何在 apache 中开启 gzip 压缩服务

    服务器设置 gzip 压缩是 web 开发里很普遍的做法.假设你要请求一个 100k 的文件,网络传输速度为 50k/s,需要 2s 才能得到数据,但是如果在服务器设置了 gzip 压缩,将服务端的文 ...

  5. 排序图解:js排序算法实现

    之前写过js实现数组去重, 今天继续研究数组: 排序算法实现. 排序是数据结构主要内容,并不限于语言主要在于思想:大学曾经用C语言研究过一段时间的排序实现, 这段时间有空用JS再将排序知识点熟悉一遍. ...

  6. react的基本学习

    1.<SubSubComp {...this.props } /> 传递属性,{...props}的方式为组件传递了这两个属性,这就是JSX中的延展属性,"..."成为 ...

  7. OpenFlow

    What is OpenFlow? OpenFlow is an open standard that enables researchers to run experimental protocol ...

  8. java util包概述

    util是utiliy的缩写,意为多用途的,工具性质的包这个包中主要存放了:集合类(如ArrayList,HashMap等),随机数产生类,属性文件读取类,定时器类等类.这些类极大方便了Java编程, ...

  9. 详解C语言的htons和htonl函数、大尾端、小尾端

    在Linux和Windows网络编程时需要用到htons和htonl函数,用来将主机字节顺序转换为网络字节顺序. 在Intel机器下,执行以下程序 int main(){   printf(" ...

  10. sockaddr与sockaddr_in结构体简介

    struct sockaddr { unsigned  short  sa_family;     /* address family, AF_xxx */char  sa_data[14];     ...