Edit report at http://bugs.php.net/bug.php?id=42631&edit=1
ID: 42631
Updated by: fel...@php.net
Reported by: gabe at mudbugmedia dot com
Summary: mssql_connect causes stack smashing attack
protection
-Status: Open
+Status: Feedback
Type: Bug
Package: MSSQL related
Operating System: Gentoo Linux 2.6.17-hardened-r1
PHP Version: 5.2.4
Block user comment: N
New Comment:
Please try using this snapshot:
http://snaps.php.net/php-trunk-latest.tar.gz
For Windows:
http://windows.php.net/snapshots/
Previous Comments:
------------------------------------------------------------------------
[2007-09-12 14:30:53] gabe at mudbugmedia dot com
Same behavior occurs on the supplied dev link downloaded on 2007-09-12
configure settings for compile:
'./configure' '--prefix=/usr/lib/php5' '--host=i686-pc-linux-gnu' '--
mandir=/usr/lib/php5/man' '--infodir=/usr/lib/php5/info' '--
sysconfdir=/etc' '--cache-file=./config.cache' '--disable-cli' '--
with-apxs2=/usr/sbin/apxs2' '--with-config-file-path=/etc/php/apache2-
php5' '--with-config-file-scan-dir=/etc/php/apache2-php5/ext-active'
'--without-pear' '--disable-bcmath' '--with-bz2' '--disable-calendar'
'--with-curl' '--without-curlwrappers' '--disable-dbase' '--disable-
exif' '--without-fbsql' '--without-fdftk' '--disable-filter' '--
disable-ftp' '--with-gettext' '--without-gmp' '--disable-hash' '--
without-iconv' '--disable-ipv6' '--disable-json' '--without-kerberos'
'--enable-mbstring' '--with-mcrypt' '--without-mhash' '--without-msql'
'--with-mssql' '--without-ncurses' '--with-openssl' '--with-openssl-
dir=/usr' '--disable-pcntl' '--disable-pdo' '--without-pgsql' '--
without-pspell' '--without-recode' '--disable-reflection' '--disable-
simplexml' '--disable-shmop' '--without-snmp' '--disable-soap' '--
disable-sockets' '--disable-spl' '--without-sybase' '--without-sybase-
ct' '--disable-sysvmsg' '--disable-sysvsem' '--disable-sysvshm' '--
without-tidy' '--disable-tokenizer' '--disable-wddx' '--disable-
xmlreader' '--disable-xmlwriter' '--without-xmlrpc' '--without-xsl' '-
-disable-zip' '--with-zlib' '--disable-debug' '--without-cdb' '--
without-db4' '--without-flatfile' '--without-gdbm' '--without-inifile'
'--without-qdbm' '--without-freetype-dir' '--without-t1lib' '--
disable-gd-jis-conv' '--with-jpeg-dir=/usr' '--with-png-dir=/usr' '--
without-xpm-dir' '--with-gd' '--with-mysql=/usr' '--with-mysql-
sock=/var/run/mysqld/mysqld.sock' '--without-mysqli' '--with-readline'
'--without-libedit' '--without-mm' '--without-sqlite' '--with-pic'
------------------------------------------------------------------------
[2007-09-12 11:40:06] j...@php.net
Please try using this CVS snapshot:
http://snaps.php.net/php5.2-latest.tar.gz
For Windows (zip):
http://snaps.php.net/win32/php5.2-win32-latest.zip
For Windows (installer):
http://snaps.php.net/win32/php5.2-win32-installer-latest.msi
------------------------------------------------------------------------
[2007-09-11 20:31:51] gabe at mudbugmedia dot com
Description:
------------
When executing a PHP script over Apache 2.2 SAPI (not CGI),
mssql_connect() causes Apache to exit with the following in the
syslog:
apache2: stack smashing attack in function tds_write_packet -
terminated
This occurs only after successfully connecting to a valid MSSQL
server, but before authentication information is verified; supplying
invalid username/password will still cause the error to trigger.
However, entering in a non-listening IP to connect to will return
false and continue execution.
Gentoo developers identified this bug as PHP instead of Apache, as
Apache is not responsible for the calling of the tds_write_packet()
function
Bug originally submitted here, but was reclassified as being UPSTREAM:
http://bugs.gentoo.org/show_bug.cgi?id=191988
an strace of the process (capture started after initial connect
`netstat -p` after connection was the only way I could determine which
apache process to strace):
Process 11348 attached - interrupt to quit
poll([{fd=1027, events=POLLIN, revents=POLLIN}], 1, 300000) = 1
read(1027, "Host: kokiri.org\r\n", 8000) = 18
poll([{fd=1027, events=POLLIN, revents=POLLIN}], 1, 300000) = 1
read(1027, "\r\n", 8000) = 2
gettimeofday({1189537767, 899761}, NULL) = 0
gettimeofday({1189537767, 899905}, NULL) = 0
stat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664,
st_size=175, ...}) = 0
open("/www/.htaccess", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file
or directory)
open("/www/kokiri.org/.htaccess", O_RDONLY|O_LARGEFILE) = -1 ENOENT
(No such file or directory)
open("/www/kokiri.org/htdocs/.htaccess", O_RDONLY|O_LARGEFILE) = 1028
fstat64(1028, {st_mode=S_IFREG|0664, st_size=79, ...}) = 0
read(1028, "RewriteEngine on\n\nRewriteRule ro"..., 4096) = 79
read(1028, "", 4096) = 0
close(1028) = 0
open("/www/kokiri.org/htdocs/findwork.php/.htaccess",
O_RDONLY|O_LARGEFILE) = -1 ENOTDIR (Not a directory)
setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={60, 0}}, NULL) =
0
rt_sigaction(SIGPROF, {0x503ec97b, [PROF], SA_RESTORER|SA_RESTART,
0x50aeab68}, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [PROF], NULL, 8) = 0
getcwd("/", 4095) = 2
chdir("/www/kokiri.org/htdocs") = 0
setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={30, 0}}, NULL) =
0
rt_sigaction(SIGPROF, {0x503ec97b, [PROF], SA_RESTORER|SA_RESTART,
0x50aeab68}, {0x503ec97b, [PROF], SA_RESTORER|SA_RESTART, 0x50aeab68},
8) = 0
rt_sigprocmask(SIG_UNBLOCK, [PROF], NULL, 8) = 0
lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0
lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...})
= 0
lstat64("/www/kokiri.org/htdocs", {st_mode=S_IFDIR|0775, st_size=4096,
...}) = 0
lstat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664,
st_size=175, ...}) = 0
lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0
lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...})
= 0
lstat64("/www/kokiri.org/htdocs", {st_mode=S_IFDIR|0775, st_size=4096,
...}) = 0
lstat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664,
st_size=175, ...}) = 0
lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0
lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...})
= 0
lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0
lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...})
= 0
lstat64("/www/kokiri.org/htdocs", {st_mode=S_IFDIR|0775, st_size=4096,
...}) = 0
lstat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664,
st_size=175, ...}) = 0
lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0
lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...})
= 0
lstat64("/www/kokiri.org/htdocs", {st_mode=S_IFDIR|0775, st_size=4096,
...}) = 0
lstat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664,
st_size=175, ...}) = 0
stat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664,
st_size=175, ...}) = 0
lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0
lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...})
= 0
lstat64("/www/kokiri.org/htdocs", {st_mode=S_IFDIR|0775, st_size=4096,
...}) = 0
lstat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664,
st_size=175, ...}) = 0
open("/www/kokiri.org/htdocs/findwork.php", O_RDONLY) = 1028
fstat64(1028, {st_mode=S_IFREG|0664, st_size=175, ...}) = 0
read(1028, "START!\r\n<?php \r\nob_flush();\r\nflu"..., 8192) = 175
read(1028, "", 8192) = 0
read(1028, "", 8192) = 0
close(1028) = 0
writev(1027, [{"HTTP/1.1 200 OK\r\nDate: Tue, 11 S"..., 125},
{"8\r\n", 3}, {"START!\r\n", 8}, {"\r\n", 2}], 4) = 138
brk(0x9fa8000) = 0x9fa8000
uname({sys="Linux", node="garlic", ...}) = 0
getuid32() = 81
open("/etc/passwd", O_RDONLY) = 1028
fcntl64(1028, F_GETFD) = 0
fcntl64(1028, F_SETFD, FD_CLOEXEC) = 0
_llseek(1028, 0, [0], SEEK_CUR) = 0
fstat64(1028, {st_mode=S_IFREG|0644, st_size=3040, ...}) = 0
mmap2(NULL, 3040, PROT_READ, MAP_SHARED, 1028, 0) = 0x4fc52000
_llseek(1028, 3040, [3040], SEEK_SET) = 0
munmap(0x4fc52000, 3040) = 0
close(1028) = 0
open("/var/www/.freetds.conf", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No
such file or directory)
open("/etc/freetds.conf", O_RDONLY|O_LARGEFILE) = 1028
fstat64(1028, {st_mode=S_IFREG|0644, st_size=3572, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x4fc52000
read(1028, "#\n#\n# $Id: freetds.conf,v 1.11"..., 4096) = 3572
read(1028, "", 4096) = 0
_llseek(1028, 0, [0], SEEK_SET) = 0
read(1028, "#\n#\n# $Id: freetds.conf,v 1.11"..., 4096) = 3572
read(1028, "", 4096) = 0
close(1028) = 0
munmap(0x4fc52000, 4096) = 0
getuid32() = 81
open("/etc/passwd", O_RDONLY) = 1028
fcntl64(1028, F_GETFD) = 0
fcntl64(1028, F_SETFD, FD_CLOEXEC) = 0
_llseek(1028, 0, [0], SEEK_CUR) = 0
fstat64(1028, {st_mode=S_IFREG|0644, st_size=3040, ...}) = 0
mmap2(NULL, 3040, PROT_READ, MAP_SHARED, 1028, 0) = 0x4fc52000
_llseek(1028, 3040, [3040], SEEK_SET) = 0
munmap(0x4fc52000, 3040) = 0
close(1028) = 0
open("/var/www/.interfaces", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No
such file or directory)
open("/etc/freetds/interfaces", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No
such file or directory)
open("/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = 1028
fstat64(1028, {st_mode=S_IFREG|0644, st_size=25460, ...}) = 0
mmap2(NULL, 25460, PROT_READ, MAP_SHARED, 1028, 0) = 0x4fc4c000
close(1028) = 0
futex(0x50be4a4c, FUTEX_WAKE, 2147483647) = 0
open("/usr/lib/gconv/ISO8859-1.so", O_RDONLY) = 1028
read(1028,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240\4\0"..., 512) =
512
fstat64(1028, {st_mode=S_IFREG|0755, st_size=9704, ...}) = 0
mmap2(NULL, 12300, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
1028, 0) = 0x4fc48000
mmap2(0x4fc4a000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 1028, 0x1) = 0x4fc4a000
close(1028) = 0
mprotect(0x4fc4a000, 4096, PROT_READ) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 1028
setsockopt(1028, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
setsockopt(1028, SOL_TCP, TCP_NODELAY, [1], 4) = 0
time(NULL) = 1189537767
ioctl(1028, FIONBIO, [1]) = 0
connect(1028, {sa_family=AF_INET, sin_port=htons(1433),
sin_addr=inet_addr("70.252.177.xxx")}, 16) = -1 EINPROGRESS (Operation
now in progress)
select(1029, NULL, [1024 1025 1026 1028], [1024 1025 1026 1028], {5,
0}) = 2 (left {5, 0})
time(NULL) = 1189537767
getsockopt(1028, SOL_SOCKET, SO_ERROR, [0], [4]) = 0
time(NULL) = 1189537767
select(1029, NULL, [1028], NULL, {5, 0}) = 1 (out [1028], left {4,
820000})
time(NULL) = 1189537768
send(1028,
"\2\0\2\0\0\0\0\0garlic\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 512,
MSG_NOSIGNAL|MSG_MORE) = 512
socket(PF_FILE, SOCK_DGRAM, 0) = 1029
connect(1029, {sa_family=AF_FILE, path="/dev/log"}, 110) = -1
EPROTOTYPE (Protocol wrong type for socket)
close(1029) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 1029
connect(1029, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0
write(2, "*** stack smashing detected ***:"..., 54) = 54
write(1029, "*** stack smashing detected ***:"..., 54) = 54
write(2, "apache2: stack smashing attack i"..., 73) = 73
write(1029, "apache2: stack smashing attack i"..., 73) = 73
write(2, "Report to http://bugs.gentoo.org";..., 35) = 35
write(1029, "Report to http://bugs.gentoo.org";..., 35) = 35
close(1029) = 0
getpid() = 11348
kill(11348, SIGKILL) = 0
+++ killed by SIGKILL +++
Process 11348 detached
Reproduce code:
---------------
START!
<?php
ob_flush();
flush();
var_dump(mssql_connect('70.252.177.xxx', 'username', 'password'));
?>
DONE!
Expected result:
----------------
START!
resource(4) of type (mssql link)
DONE!
Actual result:
--------------
START!
(then Apache exits and the error is logged to syslog)
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=42631&edit=1
