Erik Parker said: > > If you read any of the past archives for Bugtraq, Vuln-dev, Php-dev, or > php-cvs, or search on Security focus's very efficient search engine, > you'd be able to find them. He was asking about 4.1.2 wich can be crashed remote . I will put the details at the end of this message . > B> I stumbled on some exploit code from TESO that is available at > B> packetstorm (http://packetstormsecurity.nl/filedesc/7350fun.html). > The B> code exists as a binary that is supposed to exploit > B> mod_php 4.0.x and crash at least 4.1.2 > B> > B> I am curious what hole is being exploited. I can't remember a buffer > B> overflow vulnerability being reported for mod_php 4.1.2 > B> Anyone with ideas ? > B> Details about php 4.2.0 upload bug. A special buffer passed to php by using the old POST upload trick will segfault php in php_mime_get_hdr_value . #0 0x40313520 in php_mime_get_hdr_value (header= {head = 0x0, tail = 0x0, size = 8, count = 0, dtor = 0x403132bc <php_free_hdr_entry>, persistent = 0 '\000', traverse_ptr = 0x0}, key=0x403bb6bb "Content-Disposition") at rfc1867.c:375 #1 0x40313c95 in rfc1867_post_handler ( content_type_dup=0x818d474 "multipart/form-data; boundary=", '-' <repeats 27times>, "299908810612827886801697150081", arg=0x818e80c, tsrm_l at rfc1867.c:649 #2 0x40311b43 in sapi_handle_post (arg=0x818e80c, tsrm_ls=0x8116230) at SAPI.c:110 #3 0x40315a07 in php_treat_data (arg=0, str=0x0, destArray=0x0, tsrm_ls=0x8116230) at php_variables.c:251 0x4031350f <php_mime_get_hdr_value+51>: call 0x402dc054 <_init+11560> 0x40313514 <php_mime_get_hdr_value+56>: mov %eax,%esi 0x40313516 <php_mime_get_hdr_value+58>: add $0x10,%esp 0x40313519 <php_mime_get_hdr_value+61>: lea 0x0(%esi),%esi 0x4031351c <php_mime_get_hdr_value+64>: sub $0x8,%esp 0x4031351f <php_mime_get_hdr_value+67>: push %edi // This is the line with the problem 0x40313520 <php_mime_get_hdr_value+68>: pushl (%esi) In the infamous rfc1867.c at line 365 if (!strcasecmp(entry->key, key)) { entry becomes NULL when calling strcasecmp and that's why it will segfault . This will give us a pretty and easy fix of this problem : do { + if ( entry != NULL ) if (!strcasecmp(entry->key, key)) { return entry->value; php 4.2.1 fixes this problem . -- SysAdmin of ProTV & ProFM , Member of TFM Group linux division . Mihai Moldovanu http://www.tfm.ro/ http://portal.tfm.ro/
This archive was generated by hypermail 2b30 : Mon May 13 2002 - 20:35:19 PDT