Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 399427 (CVE-2012-0807) - <dev-php/suhosin-0.9.33 Transparent Cookie Encryption Stack Buffer Overflow (CVE-2012-{0807,0808})
Summary: <dev-php/suhosin-0.9.33 Transparent Cookie Encryption Stack Buffer Overflow (...
Status: RESOLVED FIXED
Alias: CVE-2012-0807
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major with 1 vote (vote)
Assignee: Gentoo Security
URL: http://www.suhosin.org/
Whiteboard: C1 [glsa]
Keywords:
Depends on: 400889
Blocks:
  Show dependency tree
 
Reported: 2012-01-19 23:04 UTC by Michael Harrison
Modified: 2014-12-12 00:42 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Harrison 2012-01-19 23:04:35 UTC
A possible stack buffer overflow in Suhosin extension's transparent cookie encryption that can only be triggered in an uncommon and weakened Suhosin configuration can lead to arbitrary remote code execution, if the FORTIFY_SOURCE compile option was not used when Suhosin was compiled.

Reference: http://www.suhosin.org/
https://github.com/stefanesser/suhosin

Solution: Suhosin Extension 0.9.33 was released which fixes this vulnerability

Quote from http://www.suhosin.org
  "Suhosin is an advanced protection system for PHP installations.
   It was designed to protect servers and users from known and
   unknown flaws in PHP applications and the PHP core. Suhosin comes
   in two independent parts, that can be used separately or in
   combination. The first part is a small patch against the PHP
   core, that implements a few low-level protections against
   buffer overflows or format string vulnerabilities and the second
   part is a powerful PHP extension that implements all the other
   protections.."

  During an internal audit of the Suhosin PHP extension, which is
  often confused with the Suhosin PHP Patch, although they are not
  the same, a possible stack based buffer overflow inside the
  transparent cookie encryption feature was discovered.

  If successfully exploited this vulnerability can lead to arbitrary
  remote code execution. However further investigation into the
  vulnerability revealed that it can only be triggered if the admin
  has not only activated transparent cookie encryption, but also
  explicitly disabled several other security features of Suhosin.
  In addition to that remote exploitation requires a PHP application
  that puts unfiltered user input into a call to the header()
  function that sends a Set-Cookie header.

  Furthermore most modern unix systems compile the Suhosin extension
  with the FORTIFY_SOURCE flag, which will detect the possible buffer
  overflow and abort execution before something bad can happen.

Details:

  The transparent cookie encryption of Suhosin is disabled by default
  because it stops applications using JavaScript to access cookies,
  which would break these applications. In order to activate it an
  admin has to enable this feature in the configuration file:

    suhosin.cookie.encrypt = On

  Once activated all incoming cookies will be decrypted and all
  outgoing Set-Cookie HTTP headers will be rewritten to only contain
  encrypted data. When this happens the following code of Suhosin
  extension will be triggered.

    char *suhosin_encrypt_single_cookie(char *name, int name_len, char
*value, int value_len, char *key TSRMLS_DC)
    {
        char buffer[4096];
        char buffer2[4096];
        char *buf = buffer, *buf2 = buffer2, *d, *d_url;
        int l;

        if (name_len > sizeof(buffer)-2) {
            buf = estrndup(name, name_len);
        } else {
            memcpy(buf, name, name_len);
            buf[name_len] = 0;
        }

        ...

        if (strlen(value) <= sizeof(buffer2)-2) {
            memcpy(buf2, value, value_len);
            buf2[value_len] = 0;
        } else {
            buf2 = estrndup(value, value_len);
        }

  The problem with this code is that the second call to mempcy()
  uses strlen() to check if there is enough buffer space but
  uses the variable value_len to determine the amount of bytes
  to copy. The problem is that there could be a NUL byte inside
  the value of the cookie, which will result in a stack based
  buffer overflow. While the same code can also be found inside
  the suhosin_decrypt_single_cookie() function the problem cannot
  be exploited, because in that case there cannot be a NUL byte.

  To understand the limited impact of this vulnerability it is
  important to know that NUL bytes are not allowed inside HTTP
  headers in a default Suhosin installation. In order to be
  vulnerable it is therefore required that the admin explicitly
  weakened security by disabling the HTTP response splitting
  protection of Suhosin by using the following configuration:

    suhosin.multiheader=On

  The next thing to know is that PHP applications normally use
  the functions setcookie() and setrawcookie() to set cookies.
  Both functions are however not affected by the problem
  because both functions will eliminate a possible NUL byte
  when constructing the Set-Cookie header. Therefore the only
  way to trigger this vulnerability is to call the header() function
  directly with a "Set-Cookie" header and put unfiltered user
  input into the cookie value. This is very uncommon in normal
  PHP applications.

  In addition to that the default configuration of Suhosin will not
  allow NUL bytes in user input. Therefore in order to trigger the
  vulnerability remotely the user input must have been double
  decoded or the admin must have weakened the installation once
  again by disabling the protection against NUL bytes. This can be
  done by changing the configuration to.

    suhosin.request.disallow_nul=Off
    suhosin.get.disallow_nul=Off
    suhosin.post.disallow_nul=Off
    suhosin.cookie.disallow_nul=Off

  Finally even if the vulnerability is triggerable from remote it
  depends on the compilation of the Suhosin extension if the bug
  can be abused. Most modern unix systems will compile the Suhosin
  extension with the FORTIFY_SOURCE compile option, which will
  detect the buffer overflow before it actually happens and abort
  execution.

  If either suhosin.multiheader or suhosin.cookie.encrypt are set
  to "off" in your configuration than you are safe from remote
  attacks. In addition to that the default configuration of
  suhosin.perdir disallows to set these variables from .htaccess
  which also provides some protection against local attackers.

Proof of Concept:

  Locally the problem can be reproduced by the following PHP code:

  <?php header("Set-Cookie: x=xxx".chr(0).str_repeat("A",10000));

  If this piece of code does not affect your PHP process at all then
  your current configuration is safe. Otherwise it depends if the
  Suhosin extension was compiles with the FORTIFY_SOURCE option.

Disclosure Timeline:

  12. January 2012 - Vulnerability was found during an internal audit
  14. January 2012 - Vulnerability was fixed in the source code
  19. January 2012 - Public Disclosure
Comment 1 Agostino Sarubbo gentoo-dev 2012-01-20 08:50:34 UTC
Gentoo compiles all sources by default with -D_FORTIFY_SOURCE=2 so, to be vulnerable to this issue, probably an user should specifies -D_FORTIFY_SOURCE=0 in his make.conf.

This bug seems not very valid on gentoo
Comment 2 Agostino Sarubbo gentoo-dev 2012-01-25 20:30:55 UTC
@php-bugs:

If you have no time atm to make new ebuild, I guess you can make a new revision with forced -D_FORTIFY_SOURCE and since the ebuild is the same you can mark stable it by yourself.
Comment 3 Ole Markus With (RETIRED) gentoo-dev 2012-01-26 08:14:26 UTC
dev-php/suhosin-0.9.33 should now be in CVS. Everything is ready for stabilisation on our end.

Cheers,
Ole Markus
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-01-27 06:00:50 UTC
(In reply to comment #3)
> dev-php/suhosin-0.9.33 should now be in CVS. Everything is ready for
> stabilisation on our end.
> 

Great, thank you.

Arches, please test and mark stable:
=dev-php/suhosin-0.9.33
Target keywords : "alpha amd64 arm hppa ia64 s390 sh sparc x86"
Comment 5 Agostino Sarubbo gentoo-dev 2012-01-27 13:30:19 UTC
amd64 stable
Comment 6 Ole Markus With (RETIRED) gentoo-dev 2012-01-27 20:39:36 UTC
Suhosin-0.9.33 fails to compile with php[threads]. See bug 400889.
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-01-29 10:40:14 UTC
Unless bug #400889 isn't a regression, I'm going to postpone x86 stabilization.

If bug #400889 isn't a regression, feel free to remove it from dependencies.
Comment 8 Ole Markus With (RETIRED) gentoo-dev 2012-02-12 19:16:56 UTC
Bug 400889 fixed, so you can start stabilisation again.

Cheers!
Ole Markus
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2012-02-15 15:59:41 UTC
Stable for HPPA.
Comment 10 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-02-16 17:57:45 UTC
x86 stable
Comment 11 Markus Meier gentoo-dev 2012-02-16 19:41:25 UTC
arm stable
Comment 12 Tobias Klausmann (RETIRED) gentoo-dev 2012-02-17 14:23:05 UTC
Stable on alpha.
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2012-02-18 19:46:06 UTC
ia64/s390/sh/sparc stable
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2012-02-18 21:30:25 UTC
Thanks, everyone. GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 01:19:45 UTC
CVE-2012-0807 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0807):
  Stack-based buffer overflow in the suhosin_encrypt_single_cookie function in
  the transparent cookie-encryption feature in the Suhosin extension before
  0.9.33 for PHP, when suhosin.cookie.encrypt and suhosin.multiheader are
  enabled, might allow remote attackers to execute arbitrary code via a long
  string that is used in a Set-Cookie HTTP header.
Comment 16 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-12 00:42:41 UTC
This issue was resolved and addressed in
 GLSA 201412-10 at http://security.gentoo.org/glsa/glsa-201412-10.xml
by GLSA coordinator Sean Amoss (ackle).