<<< Date Index >>>     <<< Thread Index >>>

Advisory 02/2006: PHP ext/mysqli Format String Vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-


     Advisory: PHP ext/mysqli Format String Vulnerability
 Release Date: 2006/01/12
Last Modified: 2006/01/12
       Author: Stefan Esser [sesser@xxxxxxxxxxxxxxxx]

  Application: PHP5.1 <= 5.1.1
 Not Affected: PHP4, PHP 5.0.x
               PHP 5.1.x with Hardening-Patch
     Severity: A format string vulnerability in the exception handling
               of the new mysqli extension may result in remote code
               execution
         Risk: Low
Vendor Status: Vendor has released a bugfixed version
   References: http://www.hardened-php.net/advisory_022006.113.html


Overview:

   PHP is a widely-used general-purpose scripting language that is
   especially suited for Web development and can be embedded into HTML.

   During the development of the Hardening-Patch which adds security 
   hardening features to the PHP codebase, several vulnerabilities 
   within PHP were discovered. This advisory describes one of these 
   flaws concerning a weakness in the mysqli extension.
   
   PHP5 comes with the new mysqli extension, which recently got a new
   error reporting feature using exceptions. When an exception for such
   an error is thrown the error message is used as format string.
   Depending on the situation and configuration, f.e. a malicious MySQL 
   server or an erroneous SQL query (f.e. through SQL injection) can
   result in PHP reporting a (partly) user supplied error message, which
   can result in triggering the format string vulnerability, which can
   lead to remote code execution.


Details:

   PHP's new mysqli extension recently got a new error reporting mode
   that is using PHP exceptions to report errors generated by the SQL
   server or errors that occured when a connection cannot be established.
   
   Because of a flaw in the way the format string functions where called
   when such an exception is thrown the error message is used as format 
   string and might contain format string specifiers. Because this error
   message is generated by the mysql client library or the remote mysql
   server there are a number of ways a local or remote attacker can 
   influence the content of the message to cause arbitrary format strings
   to be parsed.
   
   By default the reporting mode will not report failed SQL queries 
   through this mechanism, but when it is enabled SQL injection 
   vulnerabilities can be used by remote attackers to feed arbitrary
   format strings to PHP's internal implementation of the format string
   functions. These functions also support the %n specifier and therefore
   can be exploited in ways similar to the standard fmt string exploits.
   (With the little problem that the %n implementation in PHP is buggy
   and therefore does not behave in the normal way).
   
   In the default reporting mode an attacker has to be either local and
   try to connect to invalid hostnames or remote with control over the
   error messages returned by the mysql server. (malicious server or
   man in the middle attack). In all cases there is the potential for
   attacker controlled memory corruption that could even lead to remote 
   code execution. The vulnerability is rated low risk, because it is
   believed to be hard for an external attacker to abuse this remotely.

   PHP servers using our Hardening-Patch are not exploitable because 
   since the very beginning of the patch we have the %n format string 
   specifier disabled, to protect against unknown format string 
   vulnerabilites.


Proof of Concept:

   The Hardened-PHP project is not going to release exploits for this
   vulnerability to the public.


Recommendation:

   It is strongly recommended to upgrade to the latest appropriate PHP 
   release as soon as possible, because it does not only fix this
   vulnerability, but finally comes with a HTTP Response Splitting 
   protection. 
   
   Additionally we always recommend to run PHP with the Hardening-Patch
   applied, because this vulnerability once again proved that our users
   are protected against unknown vulnerabilities before they become
   public knowledge.


GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2006 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFDxpDMRDkUzAqGSqERAvRPAJ9rl/UP6jYWv4gvhA5WBgETAG4UKQCfVmnQ
pynps3w+tBa+wi0y1WQ7rUo=
=rdnA
-----END PGP SIGNATURE-----