exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Suhosin PHP Extension Transparent Cookie Encryption Stack Buffer Overflow

Suhosin PHP Extension Transparent Cookie Encryption Stack Buffer Overflow
Posted Jan 19, 2012
Authored by Stefan Esser

A possible stack buffer overflow in Suhosin extension's transparent cookie encryption that can only be triggered in an uncommon and weakened Suhosin configuration can lead to arbitrary remote code execution, if the FORTIFY_SOURCE compile option was not used when Suhosin was compiled. Versions and below are affected.

tags | exploit, remote, overflow, arbitrary, code execution
SHA-256 | 7b76245682b97cb024e98bdc990fce1fd1209c0093a98ed46429a4d2ea80c3ec

Suhosin PHP Extension Transparent Cookie Encryption Stack Buffer Overflow

Change Mirror Download

Hash: SHA1

SektionEins GmbH

-= Security Advisory =-

Advisory: Suhosin PHP Extension Transparent Cookie Encryption Stack
Buffer Overflow
Release Date: 2012/01/19
Last Modified: 2012/01/19
Author: Stefan Esser [stefan.esser[at]sektioneins.de]

Application: Suhosin Extension <=
Severity: A possible stack buffer overflow in Suhosin extension's
transparent cookie encryption that can only be triggered
in an uncommon and weakened Suhosin configuration can lead
to arbitrary remote code execution, if the FORTIFY_SOURCE
compile option was not used when Suhosin was compiled.
Risk: Medium
Vendor Status: Suhosin Extension 0.9.33 was released which fixes this
Reference: http://www.suhosin.org/


Quote from http://www.suhosin.org
"Suhosin is an advanced protection system for PHP installations.
It was designed to protect servers and users from known and
unknown flaws in PHP applications and the PHP core. Suhosin comes
in two independent parts, that can be used separately or in
combination. The first part is a small patch against the PHP
core, that implements a few low-level protections against
buffer overflows or format string vulnerabilities and the second
part is a powerful PHP extension that implements all the other

During an internal audit of the Suhosin PHP extension, which is
often confused with the Suhosin PHP Patch, although they are not
the same, a possible stack based buffer overflow inside the
transparent cookie encryption feature was discovered.

If successfully exploited this vulnerability can lead to arbitrary
remote code execution. However further investigation into the
vulnerability revealed that it can only be triggered if the admin
has not only activated transparent cookie encryption, but also
explicitly disabled several other security features of Suhosin.
In addition to that remote exploitation requires a PHP application
that puts unfiltered user input into a call to the header()
function that sends a Set-Cookie header.

Furthermore most modern unix systems compile the Suhosin extension
with the FORTIFY_SOURCE flag, which will detect the possible buffer
overflow and abort execution before something bad can happen.


The transparent cookie encryption of Suhosin is disabled by default
because it stops applications using JavaScript to access cookies,
which would break these applications. In order to activate it an
admin has to enable this feature in the configuration file:

suhosin.cookie.encrypt = On

Once activated all incoming cookies will be decrypted and all
outgoing Set-Cookie HTTP headers will be rewritten to only contain
encrypted data. When this happens the following code of Suhosin
extension will be triggered.

char *suhosin_encrypt_single_cookie(char *name, int name_len, char
*value, int value_len, char *key TSRMLS_DC)
char buffer[4096];
char buffer2[4096];
char *buf = buffer, *buf2 = buffer2, *d, *d_url;
int l;

if (name_len > sizeof(buffer)-2) {
buf = estrndup(name, name_len);
} else {
memcpy(buf, name, name_len);
buf[name_len] = 0;


if (strlen(value) <= sizeof(buffer2)-2) {
memcpy(buf2, value, value_len);
buf2[value_len] = 0;
} else {
buf2 = estrndup(value, value_len);

The problem with this code is that the second call to mempcy()
uses strlen() to check if there is enough buffer space but
uses the variable value_len to determine the amount of bytes
to copy. The problem is that there could be a NUL byte inside
the value of the cookie, which will result in a stack based
buffer overflow. While the same code can also be found inside
the suhosin_decrypt_single_cookie() function the problem cannot
be exploited, because in that case there cannot be a NUL byte.

To understand the limited impact of this vulnerability it is
important to know that NUL bytes are not allowed inside HTTP
headers in a default Suhosin installation. In order to be
vulnerable it is therefore required that the admin explicitly
weakened security by disabling the HTTP response splitting
protection of Suhosin by using the following configuration:


The next thing to know is that PHP applications normally use
the functions setcookie() and setrawcookie() to set cookies.
Both functions are however not affected by the problem
because both functions will eliminate a possible NUL byte
when constructing the Set-Cookie header. Therefore the only
way to trigger this vulnerability is to call the header() function
directly with a "Set-Cookie" header and put unfiltered user
input into the cookie value. This is very uncommon in normal
PHP applications.

In addition to that the default configuration of Suhosin will not
allow NUL bytes in user input. Therefore in order to trigger the
vulnerability remotely the user input must have been double
decoded or the admin must have weakened the installation once
again by disabling the protection against NUL bytes. This can be
done by changing the configuration to.


Finally even if the vulnerability is triggerable from remote it
depends on the compilation of the Suhosin extension if the bug
can be abused. Most modern unix systems will compile the Suhosin
extension with the FORTIFY_SOURCE compile option, which will
detect the buffer overflow before it actually happens and abort

If either suhosin.multiheader or suhosin.cookie.encrypt are set
to "off" in your configuration than you are safe from remote
attacks. In addition to that the default configuration of
suhosin.perdir disallows to set these variables from .htaccess
which also provides some protection against local attackers.

Proof of Concept:

Locally the problem can be reproduced by the following PHP code:

<?php header("Set-Cookie: x=xxx".chr(0).str_repeat("A",10000));

If this piece of code does not affect your PHP process at all then
your current configuration is safe. Otherwise it depends if the
Suhosin extension was compiles with the FORTIFY_SOURCE option.

Disclosure Timeline:

12. January 2012 - Vulnerability was found during an internal audit
14. January 2012 - Vulnerability was fixed in the source code
19. January 2012 - Public Disclosure


It is recommended to upgrade to the latest version of Suhosin
extension, which can be downloaded at:


The latest development version of the Suhosin extension can always
be found at:


CVE Information:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
not assigned a name to this vulnerability.


pub 1024D/15ABDA78 2004-10-17 Stefan Esser
Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78

Copyright 2012 SektionEins GmbH. All rights reserved.
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By