Re: Vulnerability in PHP ?!?

From: Mihai (Cop) Moldovanu (mihaimat_private)
Date: Mon May 13 2002 - 18:00:28 PDT

Next message: lion: "Re: Vulnerability in PHP ?!?"

Previous message: Stephen Friedl: "Re: Sybase default passwords?"
Next in thread: lion: "Re: Vulnerability in PHP ?!?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Erik Parker said:
>
> If you read any of the past archives for Bugtraq, Vuln-dev, Php-dev, or
> php-cvs, or search on Security focus's very efficient search engine,
> you'd be able to find them.

He was asking about 4.1.2 wich can be crashed remote .
I will put the details at the end of this message .

> B> I stumbled on some exploit code from TESO that is available at
> B> packetstorm (http://packetstormsecurity.nl/filedesc/7350fun.html).
> The B> code exists as a binary that is supposed to exploit
> B> mod_php 4.0.x and crash at least 4.1.2
> B>
> B> I am curious what hole is being exploited. I can't remember a buffer
> B> overflow vulnerability being reported for mod_php 4.1.2
> B> Anyone with ideas ?
> B>

Details about php 4.2.0 upload bug.

A special buffer passed to php by using the old POST upload trick
will segfault php in php_mime_get_hdr_value .

#0  0x40313520 in php_mime_get_hdr_value (header=
  {head = 0x0, tail = 0x0, size = 8, count = 0, dtor = 0x403132bc
<php_free_hdr_entry>, persistent = 0 '\000', traverse_ptr = 0x0},
  key=0x403bb6bb "Content-Disposition") at rfc1867.c:375
#1  0x40313c95 in rfc1867_post_handler (
  content_type_dup=0x818d474 "multipart/form-data; boundary=", '-'
  <repeats 27times>, "299908810612827886801697150081", arg=0x818e80c, tsrm_l
  at rfc1867.c:649
#2  0x40311b43 in sapi_handle_post (arg=0x818e80c, tsrm_ls=0x8116230)
  at SAPI.c:110
#3  0x40315a07 in php_treat_data (arg=0, str=0x0, destArray=0x0,
  tsrm_ls=0x8116230) at php_variables.c:251

0x4031350f <php_mime_get_hdr_value+51>: call   0x402dc054 <_init+11560>
0x40313514 <php_mime_get_hdr_value+56>: mov    %eax,%esi
0x40313516 <php_mime_get_hdr_value+58>: add    $0x10,%esp
0x40313519 <php_mime_get_hdr_value+61>: lea    0x0(%esi),%esi
0x4031351c <php_mime_get_hdr_value+64>: sub    $0x8,%esp
0x4031351f <php_mime_get_hdr_value+67>: push   %edi
// This is the line with the problem
0x40313520 <php_mime_get_hdr_value+68>: pushl  (%esi)

In the infamous rfc1867.c at line 365

        if (!strcasecmp(entry->key, key)) {

entry becomes NULL when calling strcasecmp and that's why
it will segfault .

This will give us a pretty and easy fix of this problem :

        do {
+               if ( entry != NULL )
                if (!strcasecmp(entry->key, key)) {
                        return entry->value;

php 4.2.1 fixes this problem .

--
SysAdmin of ProTV & ProFM , Member of TFM Group linux division .
Mihai Moldovanu
http://www.tfm.ro/
http://portal.tfm.ro/

Next message: lion: "Re: Vulnerability in PHP ?!?"
Previous message: Stephen Friedl: "Re: Sybase default passwords?"
Next in thread: lion: "Re: Vulnerability in PHP ?!?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 13 2002 - 20:35:19 PDT