PHP Multipart/form-data remote dos Vulnerability
catalog
. Description
. Analysis
1. Description
PHP is vulnerable to a remote denial of service, caused by repeatedly allocate memory、concatenate string、copy string and free memory when PHP parses header areas of body part of HTTP request with multipart/form-data. By sending multiple HTTP multipart requests to an affected application containing malicious header area of body part, a remote attacker could exploit this vulnerability to cause the consumption of CPU resources.
该漏洞利用PHP多次合并boundary里的参数,从而造成多次内存分配和拷贝,从而抢占CPU资源,造成性能下降。攻击者利用并发多包的方式,可以达到使目标系统拒绝服务的目的
HTTP协议中,multipart/form-data中可以包含多个报文,它们被合并在一个复杂报文中发送,每一个部分都是独立的,以':'分隔各自的参数和值,不同部分的报文通过分界字符串(boundary)连接在一起
PHP中实现了解析multipart/form-data协议的功能,在解析时,当出现一个不包含':'的行,且之前有一个有效键值对,则说明该行是上一个键值对里的值,PHP会将值拼接到上一个键值对里。在拼接的过程里,PHP进行了一次内存分配,两次内存复制,以及一次内存释放。当出现多个不包含':'的行时,PHP就会进行大量内存分配释放的操作,从而导致消耗CPU资源性能下降。短时间多次发送这类畸形请求将导致目标服务器DoS
Relevant Link:
http://www.chinaz.com/news/2015/0520/407861.shtml
https://portal.nsfocus.com/vulnerability/list/
2. Analysis
The vulnerable function is multipart_buffer_headers that is called internally by the function SAPI_POST_HANDLER_FUNC in main/rfc1867.c. SAPI_POST_HANDLER_FUNC is the entry-point function which parses body parts of HTTP request with multipart/form-data.
\php-src-master\main\rfc1867.c
SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
{
..
while (!multipart_buffer_eof(mbuff))
{
char buff[FILLUNIT];
char *cd = NULL, *param = NULL, *filename = NULL, *tmp = NULL;
size_t blen = , wlen = ;
zend_off_t offset;
zend_llist_clean(&header);
if (!multipart_buffer_headers(mbuff, &header)) {
goto fileupload_done;
}
..
multipart_buffer_headers
/* parse headers */
static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header)
{
char *line;
mime_header_entry prev_entry = {}, entry;
int prev_len, cur_len; /* didn't find boundary, abort */
if (!find_boundary(self, self->boundary))
{
return ;
} /* get lines of text, or CRLF_CRLF */
//1. Step 1. The multipart_buffer_headers executes while loop cycle to parse current body part headers, if the boundary string was found.
while( (line = get_line(self)) && line[] != '\0' )
{
/*
2. When parseing current body part headers which is represented as (header, value),
the multipart_buffer_headers function firstly call get_line function to read a line of characters, but get_line return a line when it meets character '\n', not '\r\n'.
After getting a line which is stored in the variable 'line', the multipart_buffer_headers function parses the variable line.
/* add header to table
PHP每次读取HTTP body header中的一行
*/
char *key = line;
char *value = NULL; if (php_rfc1867_encoding_translation())
{
self->input_encoding = zend_multibyte_encoding_detector((const unsigned char *) line, strlen(line), self->detect_order, self->detect_order_size);
} /* space in the beginning means same header */
if (!isspace(line[]))
{
//寻找":"作为key-value的分界符
value = strchr(line, ':');
} if (value)
{
*value = ;
do { value++; } while(isspace(*value));
entry.value = estrdup(value);
entry.key = estrdup(key);
}
//3. And then, it calls zend_llist_add_element function to store entry
else if (zend_llist_count(header))
{
/* If no ':' on the line, add to previous line */
/*
4. In this step, the multipart_buffer_headers function thinks current line is not a new header,
and current line should be append to value of prev_entry. Thus, prev_entry and current line merge into a new entry by executing the following codes:
*/
prev_len = (int)strlen(prev_entry.value);
cur_len = (int)strlen(line); entry.value = emalloc(prev_len + cur_len + );
memcpy(entry.value, prev_entry.value, prev_len);
memcpy(entry.value + prev_len, line, cur_len);
entry.value[cur_len + prev_len] = '\0'; entry.key = estrdup(prev_entry.key); //// free memory
zend_llist_remove_tail(header);
} else {
continue;
} zend_llist_add_element(header, &entry);
prev_entry = entry;
} return ;
}
0x1: The Remote Denial of Service Vulnerability
. If value of body part header consists of n lines
. and first character of each line is not blank character
. and each line did constains character ':'
当满足以上条件时,multipart_buffer_headers函数会不断进行内存申请、参数解析尝试、并尝试将当前行解析出的参数归并入前一个参数键、并释放当前申请内存块
. executes string copy operation twice, frees memory once.
. Each time mergence of entry.value increase length of body part header's value. 每次申请的内存在不断扩大
. thus string copy operations will cause the consumption of CPU resources, and then the service is not available.
//If n is the length of body part header's value, and copying one byte is the unit time complexity,the time complexity of multipart_buffer_headers function is O(n*m)
0x2: example
------WebKitFormBoundarypE33TmSNWwsMphqz
Content-Disposition: form-data; name="file"; filename="s
a
a
a
a"
Content-Type: application/octet-stream <?php phpinfo();?>
------WebKitFormBoundarypE33TmSNWwsMphqz
The value of Content-Disposition consists of 5 lines, and the length of the value of Content-Disposition is 5. The multipart_buffer_headers function executes Step 2.3(内存申请、字符串复制、内存释放) 4 times
. The first time execution copys bytes
. The second execution copys bytes
. The third time execution copys bytes
. The fourth time execution copys bytes
. Thus, the multipart_buffer_headers function executes times byte copy operation.
Default maximum size of body part is 2097152 bytes (2M), It is enough to cause the consumption of CPU resources by sending multiple HTTP multipart requests to an affected application containing malicious header area of body part.
Relevant Link:
https://bugs.php.net/bug.php?id=69364
Copyright (c) 2015 LittleHann All rights reserved
PHP Multipart/form-data remote dos Vulnerability的更多相关文章
- html5 file upload and form data by ajax
html5 file upload and form data by ajax 最近接了一个小活,在短时间内实现一个活动报名页面,其中遇到了文件上传. 我预期的效果是一次ajax post请求,然后在 ...
- Sending forms through JavaScript[form提交 form data]
https://developer.mozilla.org/en-US/docs/Learn/HTML/Forms/Sending_forms_through_JavaScript As in the ...
- form data和request payload的区别
HTML <form> 标签的 enctype 属性 在下面的例子中,表单数据会在未编码的情况下进行发送: <form action="form_action.asp&qu ...
- Web 前沿——HTML5 Form Data 对象的使用
XMLHttpRequest Level 2 添加了一个新的接口——FormData.利用 FormData 对象,我们可以通过 JavaScript 用一些键值对来模拟一系列表单控件,我们还可以使用 ...
- HTTP请求中的form data和request payload的区别
HTML <form> 标签的 enctype 属性 在下面的例子中,表单数据会在未编码的情况下进行发送: <form action="form_action.asp&qu ...
- [整理]Ajax Post请求下的Form Data和Request Payload
Ajax Post请求下的Form Data和Request Payload 通常情况下,我们通过Post提交表单,以键值对的形式存储在请求体中.此时的reqeuest headers会有Conten ...
- AJAX POST请求中参数以form data和request payload形式在servlet中的获取方式
转载:http://blog.csdn.net/mhmyqn/article/details/25561535 HTTP请求中,如果是get请求,那么表单参数以name=value&name1 ...
- Sending HTML Form Data
public Task<HttpResponseMessage> PostFormData(){ // Check if the request contains multipart/fo ...
- AJAX POST请求中參数以form data和request payload形式在servlet中的获取方式
HTTP请求中,假设是get请求,那么表单參数以name=value&name1=value1的形式附到url的后面,假设是post请求,那么表单參数是在请求体中,也是以name=value& ...
随机推荐
- ROS系统python代码测试之rostest
ROS系统中提供了测试框架,可以实现python/c++代码的单元测试,python和C++通过不同的方式实现, 之后的两篇文档分别详细介绍各自的实现步骤,以及测试结果和覆盖率的获取. ROS系统中p ...
- PRML读书会第十一章 Sampling Methods(MCMC, Markov Chain Monte Carlo,细致平稳条件,Metropolis-Hastings,Gibbs Sampling,Slice Sampling,Hamiltonian MCMC)
主讲人 网络上的尼采 (新浪微博: @Nietzsche_复杂网络机器学习) 网络上的尼采(813394698) 9:05:00 今天的主要内容:Markov Chain Monte Carlo,M ...
- 文件夹管理工具(MVC+zTree+layer)(附源码)
写在前 之前写了一篇关于 文件夹与文件的操作的文章 操作文件方法简单总结(File,Directory,StreamReader,StreamWrite ) 把常用的对于文件与文件夹的操作总结了一 ...
- Nodejs进阶:如何玩转子进程(child_process)
本文摘录自个人总结<Nodejs学习笔记>,更多章节及更新,请访问 github主页地址.欢迎加群交流,群号 197339705. 模块概览 在node中,child_process这个模 ...
- Bootstrap系列 -- 2. 标题
一. Bootstrap标题 在Bootstrap中使用标题和Html本身没有太大的区别使用h1-h6, 而Bootstrap只是默认修改了H1-h6的样式,网上找到如下资料参考 二. Bootstr ...
- iostat命令详解
iostat iostat用于输出CPU和磁盘I/O相关的统计信息. 命令格式: iostat [ -c | -d ] [ -k | -m ] [ -t ] [ -V ] [ -x ] [ devic ...
- angular一些冷门的用法
1.controller的第三个参数
- jQuery jsonp无法捕获404、500状态错误
转载:http://www.cnblogs.com/pao8041/p/4750403.html 不过上面的这个我用的不好,下次有机会用
- 面向OPENCL的ALTERA SDK
面向OPENCL的ALTERA SDK 使用面向开放计算语言 (OpenCL™) 的 Altera® SDK,用户可以抽象出传统的硬件 FPGA 开发流程,采用更快.更高层面的软件开发流程.在基于 x ...
- nios II--实验1——hello_world硬件部分
hello_world 硬件开发 新建原理图 1.打开Quartus II 11.0,新建一个工程,File -> New Project Wizard…,忽略Introduction,之间单击 ...