catalog

. Description

. Analysis

1. Description

PHP is vulnerable to a remote denial of service, caused by repeatedly allocate memory、concatenate string、copy string and free memory when PHP parses header areas of body part of HTTP request with multipart/form-data. By sending multiple HTTP multipart requests to an affected application containing malicious header area of body part, a remote attacker could exploit this vulnerability to cause the consumption of CPU resources.
该漏洞利用PHP多次合并boundary里的参数,从而造成多次内存分配和拷贝,从而抢占CPU资源,造成性能下降。攻击者利用并发多包的方式,可以达到使目标系统拒绝服务的目的
HTTP协议中,multipart/form-data中可以包含多个报文,它们被合并在一个复杂报文中发送,每一个部分都是独立的,以':'分隔各自的参数和值,不同部分的报文通过分界字符串(boundary)连接在一起
PHP中实现了解析multipart/form-data协议的功能,在解析时,当出现一个不包含':'的行,且之前有一个有效键值对,则说明该行是上一个键值对里的值,PHP会将值拼接到上一个键值对里。在拼接的过程里,PHP进行了一次内存分配,两次内存复制,以及一次内存释放。当出现多个不包含':'的行时,PHP就会进行大量内存分配释放的操作,从而导致消耗CPU资源性能下降。短时间多次发送这类畸形请求将导致目标服务器DoS

Relevant Link:

http://www.chinaz.com/news/2015/0520/407861.shtml

https://portal.nsfocus.com/vulnerability/list/

2. Analysis

The vulnerable function is multipart_buffer_headers that is called internally by the function SAPI_POST_HANDLER_FUNC in main/rfc1867.c. SAPI_POST_HANDLER_FUNC is the entry-point function which parses body parts of HTTP request with multipart/form-data.
\php-src-master\main\rfc1867.c

SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */

{

    ..

    while (!multipart_buffer_eof(mbuff))

    {

        char buff[FILLUNIT];

        char *cd = NULL, *param = NULL, *filename = NULL, *tmp = NULL;

        size_t blen = , wlen = ;

        zend_off_t offset;

        zend_llist_clean(&header);

        if (!multipart_buffer_headers(mbuff, &header)) {

            goto fileupload_done;

        }

        ..

multipart_buffer_headers

/* parse headers */

static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header)

{

    char *line;

    mime_header_entry prev_entry = {}, entry;

    int prev_len, cur_len;

    /* didn't find boundary, abort */

    if (!find_boundary(self, self->boundary))

    {

        return ;

    }

    /* get lines of text, or CRLF_CRLF */

    //1. Step 1. The multipart_buffer_headers executes while loop cycle to parse current body part headers, if the boundary string was found.

    while( (line = get_line(self)) && line[] != '\0' )

    {

        /*

        2. When parseing current body part headers which is represented as (header, value),

        the multipart_buffer_headers function firstly call get_line function to read a line of characters, but get_line return a line when it meets character '\n', not '\r\n'.

        After getting a line which is stored in the variable 'line', the multipart_buffer_headers function parses the variable line.

        /* add header to table

        PHP每次读取HTTP body header中的一行

        */

        char *key = line;

        char *value = NULL;

        if (php_rfc1867_encoding_translation())

        {

            self->input_encoding = zend_multibyte_encoding_detector((const unsigned char *) line, strlen(line), self->detect_order, self->detect_order_size);

        }

        /* space in the beginning means same header */

        if (!isspace(line[]))

        {

            //寻找":"作为key-value的分界符

            value = strchr(line, ':');

        }

        if (value)

        {

            *value = ;

            do { value++; } while(isspace(*value));

            entry.value = estrdup(value);

            entry.key = estrdup(key);

        }

        //3. And then, it calls zend_llist_add_element function to store entry

        else if (zend_llist_count(header))

        {

            /* If no ':' on the line, add to previous line */

            /*

            4. In this step, the multipart_buffer_headers function thinks current line is not a new header,

            and current line should be append to value of prev_entry. Thus, prev_entry and current line merge into a new entry by executing the following codes:

            */

            prev_len = (int)strlen(prev_entry.value);

            cur_len = (int)strlen(line);

            entry.value = emalloc(prev_len + cur_len + );

            memcpy(entry.value, prev_entry.value, prev_len);

            memcpy(entry.value + prev_len, line, cur_len);

            entry.value[cur_len + prev_len] = '\0';

            entry.key = estrdup(prev_entry.key);

            //// free memory

            zend_llist_remove_tail(header);

        } else {

            continue;

        }

        zend_llist_add_element(header, &entry);

        prev_entry = entry;

    }

    return ;

}

0x1: The Remote Denial of Service Vulnerability 

. If value of body part header consists of n lines

. and first character of each line is not blank character

. and each line did constains character ':'

当满足以上条件时,multipart_buffer_headers函数会不断进行内存申请、参数解析尝试、并尝试将当前行解析出的参数归并入前一个参数键、并释放当前申请内存块

. executes string copy operation twice, frees memory once.

. Each time mergence of entry.value increase length of body part header's value. 每次申请的内存在不断扩大

. thus string copy operations will cause the consumption of CPU resources, and then the service is not available.

//If n is the length of body part header's value, and copying one byte is the unit time complexity,the time complexity of multipart_buffer_headers function is O(n*m)

0x2: example

------WebKitFormBoundarypE33TmSNWwsMphqz

Content-Disposition: form-data; name="file"; filename="s

a

a

a

a"

Content-Type: application/octet-stream 

<?php phpinfo();?>

------WebKitFormBoundarypE33TmSNWwsMphqz

The value of Content-Disposition consists of 5 lines, and the length of the value of Content-Disposition is 5. The multipart_buffer_headers function executes Step 2.3(内存申请、字符串复制、内存释放) 4 times

. The first time execution copys  bytes

. The second execution copys  bytes

. The third time execution copys  bytes

. The fourth time execution copys  bytes

. Thus, the multipart_buffer_headers function executes  times byte copy operation.

Default maximum size of body part is 2097152 bytes (2M), It is enough to cause the consumption of CPU resources by sending multiple HTTP multipart requests to an affected application containing malicious header area of body part.

Relevant Link:

https://bugs.php.net/bug.php?id=69364

Copyright (c) 2015 LittleHann All rights reserved

PHP Multipart/form-data remote dos Vulnerability的更多相关文章

  1. html5 file upload and form data by ajax

    html5 file upload and form data by ajax 最近接了一个小活,在短时间内实现一个活动报名页面,其中遇到了文件上传. 我预期的效果是一次ajax post请求,然后在 ...

  2. Sending forms through JavaScript[form提交 form data]

    https://developer.mozilla.org/en-US/docs/Learn/HTML/Forms/Sending_forms_through_JavaScript As in the ...

  3. form data和request payload的区别

    HTML <form> 标签的 enctype 属性 在下面的例子中,表单数据会在未编码的情况下进行发送: <form action="form_action.asp&qu ...

  4. Web 前沿——HTML5 Form Data 对象的使用

    XMLHttpRequest Level 2 添加了一个新的接口——FormData.利用 FormData 对象,我们可以通过 JavaScript 用一些键值对来模拟一系列表单控件,我们还可以使用 ...

  5. HTTP请求中的form data和request payload的区别

    HTML <form> 标签的 enctype 属性 在下面的例子中,表单数据会在未编码的情况下进行发送: <form action="form_action.asp&qu ...

  6. [整理]Ajax Post请求下的Form Data和Request Payload

    Ajax Post请求下的Form Data和Request Payload 通常情况下,我们通过Post提交表单,以键值对的形式存储在请求体中.此时的reqeuest headers会有Conten ...

  7. AJAX POST请求中参数以form data和request payload形式在servlet中的获取方式

    转载:http://blog.csdn.net/mhmyqn/article/details/25561535 HTTP请求中,如果是get请求,那么表单参数以name=value&name1 ...

  8. Sending HTML Form Data

    public Task<HttpResponseMessage> PostFormData(){ // Check if the request contains multipart/fo ...

  9. AJAX POST请求中參数以form data和request payload形式在servlet中的获取方式

    HTTP请求中,假设是get请求,那么表单參数以name=value&name1=value1的形式附到url的后面,假设是post请求,那么表单參数是在请求体中,也是以name=value& ...

随机推荐

  1. 金旭亮老师的Scoekt编程摘要

    Socket提供了众多的属性,还提供了SetSocketOption方法来设置各种选项,对.NET网络应用程序的数据通讯进行“微调”.    Socket的功能出奇地强大,在.NET平台上,它支持以下 ...

  2. Spring Security笔记:使用数据库进行用户认证(form login using database)

    在前一节,学习了如何自定义登录页,但是用户名.密码仍然是配置在xml中的,这样显然太非主流,本节将学习如何把用户名/密码/角色存储在db中,通过db来实现用户认证 一.项目结构 与前面的示例相比,因为 ...

  3. 工作随笔——mysql子查询删除原表数据

    最近在开发的时候遇到一个mysql的子查询删除原表数据的问题.在网上也看了很多方法,基本也是然并卵(不是写的太乱就是效率太慢). 公司DBA给了一个很好的解决方案,让人耳目一新. DELETE fb. ...

  4. CAP原理的证明

    CAP概述 C: Consistency 一致性 A: Availability 可用性 P:Partition Tolerance分区容错性 CAP理论的核心是:一个分布式系统不可能同时很好的满足一 ...

  5. 详解javascript 存储

    javascript用于存储的方式可谓是多种多样,善于应用‘存储’可以大大的提高网站的性能,博主结合日常开发常见需求做一下总结,希望对大家有用- 1.cookie 存储大小:   4kb左右,以20个 ...

  6. ajax请求过程中下载文件在火狐下的兼容问题

    项目中碰到的问题,记录如下. 需求很简单,点击一个文件链接下载该文件,同时向后台发送请求.需求很常见,用户点击下载后通常要进行下载量的统计,统计的话可以利用 script标签 或者 img标签(图片p ...

  7. 在VS2010 下编译 cocos2d-x-2.1.4

    首先感谢 cocos2d-x 团队为我们做出这么好的跨平台框架,让我们这些码农省了很多时间,事半功倍. 里沃特最近在编译 win32 版本的时候最到一点小问题,现在记录下,说不定能帮到某些初学的朋友. ...

  8. [POJ2404]Jogging Trails(中国旅行商问题)(一般图的匹配——状压DP)

    题目:http://poj.org/problem?id=2404 题意:有个n(n<=15)的点和m条无向边,每条边都有自己的权值.现在你要从某个点出发,每条边可以经过多次但要保证每条边至少走 ...

  9. C# 退出应用程序办法

    Application.Exit();//好像只在主线程可以起作用,而且当有线程,或是阻塞方法的情况下,很容易失灵   this.Close();//只是关闭当前窗体.   Application.E ...

  10. IR的评价指标-MAP,NDCG和MRR

    IR的评价指标-MAP,NDCG和MRR   MAP(Mean Average Precision): 单个主题的平均准确率是每篇相关文档检索出后的准确率的平均值.主集合的平均准确率(MAP)是每个主 ...