php5: trivial hash complexity DoS attack

[Message part 1 (text/plain, inline)]
Package: php5-cli
Version: 5.6.13+dfsg-2
Severity: important
Tags: security

PHP uses the DJB "times 33" hash to hash strings in its hash tables,
without the use of any secret key.  Hash values are therefore the same
between multiple invocations.  As a result, it's trivial to precompute a
set of values that all hash to the same bucket and cause positively
abysmal performance.

If a script accepts untrusted hash keys, such as from JSON input, it is
subject to a DoS attack.  PHP implemented the max_input_vars option, but
this is not effective in the general case, especially in the era of
JSON-laden POST requests.  Perl, Python, and Ruby have all addressed
their CVEs properly, but PHP has not and as a result is still
vulnerable.

Cloning my example repository[0] and running
"php scripts/exploited.php < example/1048576.json" demonstrates the
problem very quickly.  The similar Perl and Python scripts are not
vulnerable to this attack.  A JSON file containing only 65536 entries
takes PHP 5.6 22 seconds to process.

A new CVE should probably be allocated and the bug should be fixed
correctly this time, probably by seeding a key from /dev/urandom and
using SipHash-2-4 or the like.

[0] https://github.com/bk2204/php-hash-dos

-- Package-specific info:
==== Additional PHP 5 information ====

++++ PHP 5 SAPI (php5query -S): ++++
cli

++++ PHP 5 Extensions (php5query -M -v): ++++
pdo (Enabled for cli by maintainer script)
readline (Enabled for cli by maintainer script)
json (Enabled for cli by maintainer script)
opcache (Enabled for cli by maintainer script)

++++ Configuration files: ++++
[PHP]
engine = On
short_open_tag = Off
asp_tags = Off
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = 17
disable_functions =
disable_classes =
zend.enable_gc = On
expose_php = On
max_execution_time = 30
max_input_time = 60
memory_limit = -1
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
html_errors = On
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 8M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
default_charset = "UTF-8"
doc_root =
user_dir =
enable_dl = Off
file_uploads = On
upload_max_filesize = 2M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60
[CLI Server]
cli_server.color = On
[Date]
[filter]
[iconv]
[intl]
[sqlite]
[sqlite3]
[Pcre]
[Pdo]
[Pdo_mysql]
pdo_mysql.cache_size = 2000
pdo_mysql.default_socket=
[Phar]
[mail function]
SMTP = localhost
smtp_port = 25
mail.add_x_header = On
[SQL]
sql.safe_mode = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[Interbase]
ibase.allow_persistent = 1
ibase.max_persistent = -1
ibase.max_links = -1
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
ibase.dateformat = "%Y-%m-%d"
ibase.timeformat = "%H:%M:%S"
[MySQL]
mysql.allow_local_infile = On
mysql.allow_persistent = On
mysql.cache_size = 2000
mysql.max_persistent = -1
mysql.max_links = -1
mysql.default_port =
mysql.default_socket =
mysql.default_host =
mysql.default_user =
mysql.default_password =
mysql.connect_timeout = 60
mysql.trace_mode = Off
[MySQLi]
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.cache_size = 2000
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off
[OCI8]
[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[Sybase-CT]
sybct.allow_persistent = On
sybct.max_persistent = -1
sybct.max_links = -1
sybct.min_server_severity = 10
sybct.min_client_severity = 10
[bcmath]
bcmath.scale = 0
[browscap]
[Session]
session.save_handler = files
session.use_strict_mode = 0
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 0
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 5
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
[MSSQL]
mssql.allow_persistent = On
mssql.max_persistent = -1
mssql.max_links = -1
mssql.min_error_severity = 10
mssql.min_message_severity = 10
mssql.compatibility_mode = Off
mssql.secure_connection = Off
[Assertion]
[COM]
[mbstring]
[gd]
[exif]
[Tidy]
tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir="/tmp"
soap.wsdl_cache_ttl=86400
soap.wsdl_cache_limit = 5
[sysvshm]
[ldap]
ldap.max_links = -1
[mcrypt]
[dba]
[opcache]
[curl]
[openssl]

**** /etc/php5/cli/conf.d/20-json.ini ****
extension=json.so

**** /etc/php5/cli/conf.d/05-opcache.ini ****
zend_extension=opcache.so

**** /etc/php5/cli/conf.d/10-pdo.ini ****
extension=pdo.so

**** /etc/php5/cli/conf.d/20-readline.ini ****
extension=readline.so

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_US.UTF-8, LC_CTYPE=es_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages php5-cli depends on:
ii  libbz2-1.0        1.0.6-8
ii  libc6             2.19-22
ii  libcomerr2        1.42.13-1
ii  libdb5.3          5.3.28-11
ii  libedit2          3.1-20150325-1
ii  libgssapi-krb5-2  1.13.2+dfsg-2
ii  libk5crypto3      1.13.2+dfsg-2
ii  libkrb5-3         1.13.2+dfsg-2
ii  libmagic1         1:5.25-2
ii  libonig2          5.9.6-1
ii  libpcre3          2:8.35-7.2
ii  libqdbm14         1.8.78-6
ii  libssl1.0.0       1.0.2d-1
ii  libxml2           2.9.2+zdfsg1-4
ii  mime-support      3.59
ii  php5-common       5.6.13+dfsg-2
ii  php5-json         1.3.7-1
ii  tzdata            2015f-1
ii  ucf               3.0030
ii  zlib1g            1:1.2.8.dfsg-2+b1

Versions of packages php5-cli recommends:
ii  php5-readline  5.6.13+dfsg-2

Versions of packages php5-cli suggests:
pn  php-pear  <none>

Versions of packages php5-common depends on:
ii  libc6   2.19-22
ii  lsof    4.89+dfsg-0.1
ii  psmisc  22.21-2.1
ii  sed     4.2.2-6.1
ii  ucf     3.0030

Versions of packages php5-common suggests:
pn  php5-user-cache  <none>

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

[signature.asc (application/pgp-signature, inline)]
[Message part 1 (text/plain, inline)]
On Wed, Sep 30, 2015 at 11:27:39PM +0000, brian m. carlson wrote:
> Package: php5-cli
> Version: 5.6.13+dfsg-2
> Severity: important
> Tags: security
> 
> PHP uses the DJB "times 33" hash to hash strings in its hash tables,
> without the use of any secret key.  Hash values are therefore the same
> between multiple invocations.  As a result, it's trivial to precompute a
> set of values that all hash to the same bucket and cause positively
> abysmal performance.
> 
> If a script accepts untrusted hash keys, such as from JSON input, it is
> subject to a DoS attack.  PHP implemented the max_input_vars option, but
> this is not effective in the general case, especially in the era of
> JSON-laden POST requests.  Perl, Python, and Ruby have all addressed
> their CVEs properly, but PHP has not and as a result is still
> vulnerable.

It was pointed out to me that I should mention which CVEs apply here for
reference.

Python had CVE-2012-1150 and CVE-2013-7040.  Ruby had CVE-2011-4815.  I
can't find a CVE for Perl's 2003 fix, if one exists.  The fix, which
went into 5.8, was incomplete and was addressed by CVE-2013-1667.
-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

[signature.asc (application/pgp-signature, inline)]
Hi Brian,

did you already reported this to php security or should I do that? 

Cheers,
Ondrej

On Fri, Oct 2, 2015, at 14:37, brian m. carlson wrote:
> On Wed, Sep 30, 2015 at 11:27:39PM +0000, brian m. carlson wrote:
> > Package: php5-cli
> > Version: 5.6.13+dfsg-2
> > Severity: important
> > Tags: security
> > 
> > PHP uses the DJB "times 33" hash to hash strings in its hash tables,
> > without the use of any secret key.  Hash values are therefore the same
> > between multiple invocations.  As a result, it's trivial to precompute a
> > set of values that all hash to the same bucket and cause positively
> > abysmal performance.
> > 
> > If a script accepts untrusted hash keys, such as from JSON input, it is
> > subject to a DoS attack.  PHP implemented the max_input_vars option, but
> > this is not effective in the general case, especially in the era of
> > JSON-laden POST requests.  Perl, Python, and Ruby have all addressed
> > their CVEs properly, but PHP has not and as a result is still
> > vulnerable.
> 
> It was pointed out to me that I should mention which CVEs apply here for
> reference.
> 
> Python had CVE-2012-1150 and CVE-2013-7040.  Ruby had CVE-2011-4815.  I
> can't find a CVE for Perl's 2003 fix, if one exists.  The fix, which
> went into 5.8, was incomplete and was addressed by CVE-2013-1667.
> -- 
> brian m. carlson / brian with sandals: Houston, Texas, US
> +1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
> OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
> Email had 1 attachment:
> + signature.asc
>   1k (application/pgp-signature)

-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

[Message part 1 (text/plain, inline)]
On Sun, Oct 04, 2015 at 09:55:43PM +0200, Ondřej Surý wrote:
> Hi Brian,
> 
> did you already reported this to php security or should I do that?

You should probably do that.  I didn't contact PHP Security or the
Debian Security Team because I expect that due to similar
vulnerabilities in other languages, any attacker already knows about
this and can exploit it with minimal effort.  Secrecy doesn't therefore
benefit anyone, so I just filed a bug.
-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

[signature.asc (application/pgp-signature, inline)]
On Mon, Oct 5, 2015, at 00:20, brian m. carlson wrote:
> On Sun, Oct 04, 2015 at 09:55:43PM +0200, Ondřej Surý wrote:
> > Hi Brian,
> > 
> > did you already reported this to php security or should I do that?
> 
> You should probably do that.

I already did.

> I didn't contact PHP Security or the
> Debian Security Team because I expect that due to similar
> vulnerabilities in other languages, any attacker already knows about
> this and can exploit it with minimal effort.  Secrecy doesn't therefore
> benefit anyone, so I just filed a bug.

Yeah, I agree. Just they are the guys who will have to fix it, so it
would have been faster to start with them.

Cheers,
-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

[Message part 1 (text/plain, inline)]
On Mon, Oct 05, 2015 at 12:32:33AM +0200, Ondřej Surý wrote:
> On Mon, Oct 5, 2015, at 00:20, brian m. carlson wrote:
> > On Sun, Oct 04, 2015 at 09:55:43PM +0200, Ondřej Surý wrote:
> > > Hi Brian,
> > > 
> > > did you already reported this to php security or should I do that?
> > 
> > You should probably do that.
> 
> I already did.
> 
> > I didn't contact PHP Security or the
> > Debian Security Team because I expect that due to similar
> > vulnerabilities in other languages, any attacker already knows about
> > this and can exploit it with minimal effort.  Secrecy doesn't therefore
> > benefit anyone, so I just filed a bug.
> 
> Yeah, I agree. Just they are the guys who will have to fix it, so it
> would have been faster to start with them.

This still hasn't been fixed upstream after over a year.  Security Team,
can you allocate a CVE for this, please?  Perhaps that will get upstream
moving.
-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: https://keybase.io/bk2204

[signature.asc (application/pgp-signature, inline)]
Version: 5.6.26+dfsg-1+rm

Dear submitter,

as the package php5 has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/841781

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

php5: trivial hash complexity DoS attack

Debian Bug report logs - #800564
php5: trivial hash complexity DoS attack

Vulmon Search

About

Products

Connect

php5: trivial hash complexity DoS attack

Debian Bug report logs - #800564 php5: trivial hash complexity DoS attack

Vulmon Search

About

Products

Connect

Debian Bug report logs - #800564
php5: trivial hash complexity DoS attack