mailing list archives
Re: php unserialize
From: Stefan Esser <sesser () php net>
Date: Thu, 16 Dec 2004 00:32:20 +0100
you were already told in November that the bugs you reported were known
and fixed over 3 month ago in the PHP-CVS.
From your advisory it is obvious that you have not analysed the
vulnerability you describe at all:
This example clearly shows that you have no clue about what is going on.
The bug in the unserializer is, that it tries to copy the next 9999999
Bytes (starting with the 'A') into a properly allocated memory block.
Unfourtunately this will crash because it will try to read unpaged
memory areas. There is no bufferoverflow and no memory corruption in
1) Memory Corruption / buffer overflow
Insufficient input validation of serialized strings lead to memory corruption and information disclosre.
EXAMPLE script - "Segfault":
$s = 's:9999999:"A";"';
$a = unserialize($s);
leads to arbitrary code execution and file/information disclosure.
How does reading unpaged memory lead to arbitrary code execution?
Hardened-PHP has released an advisory about bugs in unserialize(). But
the reported vulnerabilities are totally different from the stuff "you
The Hardened-PHP advisory does NOT cover the unserialize()
vulnerabilities fixed about 3 month ago by Markus Boerger, because they
were NOT found by me.
And yeah some of the bugs Marcus fixed can lead to arbitrary code
execution. (But the exploit will be a lot more unstable than an exploit
for my buf )
FOR SOME STRANGE REASONS HARDENED-PHP.NET HAS RELEASED THIS ADVISORY TODAY TOGETHER WITH A BUNCH OF OTHER
- php unserialize Martin Eiszner (Dec 16)
- Re: php unserialize Stefan Esser (Dec 16)