PHP unserialize() 64 bit Array Creation Denial of Service Vulnerability

2007-03-02 / 2007-03-03
Credit: Stefan Esser
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

A user supplied serialized string might trigger on 64 bit systems a tight endless loop within zend_hash_init() exhausting CPU ressources. Before PHP 4.3.11 was released it was discovered that there is a problem in the unserialize() function that could be exploited to produce a tight endless loop inside zend_hash_init() through a negative array element count stored inside the serialized string. This was fixed by raising an error when a negative integer value was found before it was passed to the zend_hash_init() function. When such a value was passed down to that function is resulted in a shift left integer overflow that caused a tight endless loop. A while later there were troubles with unserialize() on 64bit systems which resulted in several variables being changed from the 'int' to 'long' type. Unfortunately zend_hash_init() still works with 'int's and therefore only the lower 32 bit of the number are passed from unserialize() to zend_hash_init(). Therefore the protection against negative element counts was no longer working, because on a 64bit system a 32bit number inside a signed 'long' can still be positive. Proof of concept, exploit or instructions to reproduce To reproduce it just try the following PHP code on a 64bit system. <?php unserialize("a:2147483649:{"); ?> Notes PHP 4.4.5 and PHP 5.2.1 already contain fixes for this vulnerability. You should also keep in mind that the script will still be terminated after the maximum execution time. However when this time is for example set to 30 seconds and 10 requests are sent that trigger the endless loop, this will result in a 100% CPU load situation for 5 minutes.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top