Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Vulnerability in PHP ?!?

From: "Mihai (Cop) Moldovanu" <mihaim () tfm ro>
Date: Tue, 14 May 2002 04:00:28 +0300 (EEST)
Erik Parker said:


If you read any of the past archives for Bugtraq, Vuln-dev, Php-dev, or
php-cvs, or search on Security focus's very efficient search engine,
you'd be able to find them.


He was asking about 4.1.2 wich can be crashed remote .
I will put the details at the end of this message .


B> I stumbled on some exploit code from TESO that is available at
B> packetstorm (http://packetstormsecurity.nl/filedesc/7350fun.html).
The B> code exists as a binary that is supposed to exploit
B> mod_php 4.0.x and crash at least 4.1.2
B>
B> I am curious what hole is being exploited. I can't remember a buffer
B> overflow vulnerability being reported for mod_php 4.1.2
B> Anyone with ideas ?
B>


Details about php 4.2.0 upload bug.

A special buffer passed to php by using the old POST upload trick
will segfault php in php_mime_get_hdr_value .

#0  0x40313520 in php_mime_get_hdr_value (header=
  {head = 0x0, tail = 0x0, size = 8, count = 0, dtor = 0x403132bc
<php_free_hdr_entry>, persistent = 0 '\000', traverse_ptr = 0x0},
  key=0x403bb6bb "Content-Disposition") at rfc1867.c:375
#1  0x40313c95 in rfc1867_post_handler (
  content_type_dup=0x818d474 "multipart/form-data; boundary=", '-'
  <repeats 27times>, "299908810612827886801697150081", arg=0x818e80c, tsrm_l
  at rfc1867.c:649
#2  0x40311b43 in sapi_handle_post (arg=0x818e80c, tsrm_ls=0x8116230)
  at SAPI.c:110
#3  0x40315a07 in php_treat_data (arg=0, str=0x0, destArray=0x0,
  tsrm_ls=0x8116230) at php_variables.c:251

0x4031350f <php_mime_get_hdr_value+51>: call   0x402dc054 <_init+11560>
0x40313514 <php_mime_get_hdr_value+56>: mov    %eax,%esi
0x40313516 <php_mime_get_hdr_value+58>: add    $0x10,%esp
0x40313519 <php_mime_get_hdr_value+61>: lea    0x0(%esi),%esi
0x4031351c <php_mime_get_hdr_value+64>: sub    $0x8,%esp
0x4031351f <php_mime_get_hdr_value+67>: push   %edi
// This is the line with the problem
0x40313520 <php_mime_get_hdr_value+68>: pushl  (%esi)

In the infamous rfc1867.c at line 365

        if (!strcasecmp(entry->key, key)) {

entry becomes NULL when calling strcasecmp and that's why
it will segfault .

This will give us a pretty and easy fix of this problem :

        do {
+               if ( entry != NULL )
                if (!strcasecmp(entry->key, key)) {
                        return entry->value;

php 4.2.1 fixes this problem .

--
SysAdmin of ProTV & ProFM , Member of TFM Group linux division .
Mihai Moldovanu
http://www.tfm.ro/
http://portal.tfm.ro/
Previous By Date Next
Previous By Thread Next

Current thread: