==========================================================
Title: Php shmop write of arbitrary memory - Safe Mode Bypass
Affected: Php <= 5.0.2 & 4.3.9 if shmop module is loaded.
Vulnerability Type: Input Validation - write of arbitrary memory
==Summary
Shared Memory PHP Module has a memory leak when shmop_write function
checks for offset bounds.
This flaw could lead to bypass Safe Mode and other bad things.
==Description
shmop.c in PHP_FUNCTION(shmop_write)
function does not check if the 'offset' value is negative,
so it is possible to overwrite arbitrary memory with:
memcpy(shmop->addr + offset, data, writesize);
this, in particular can be used to set safe_mode to off.
Attached there's a Proof of concept for this vuln.
It needs some gdb debugging or print the address of core_globals.safe_mode
and some try to get the right distance to set in '$offset'.
Of course shmop.so needs to be loaded as module or embedded in php bins.:)
==========================================================
Title: Php shmop write of arbitrary memory - Safe Mode Bypass
Affected: Php <= 5.0.2 & 4.3.9 if shmop module is loaded.
Vulnerability Type: Input Validation - write of arbitrary memory
==Summary
Shared Memory PHP Module has a memory leak when shmop_write function
checks for offset bounds.
This flaw could lead to bypass Safe Mode and other bad things.
==Description
shmop.c in PHP_FUNCTION(shmop_write)
function does not check if the 'offset' value is negative,
so it is possible to overwrite arbitrary memory with:
memcpy(shmop->addr + offset, data, writesize);
this, in particular can be used to set safe_mode to off.
Attached there's a Proof of concept for this vuln.
It needs some gdb debugging or print the address of core_globals.safe_mode
and some try to get the right distance to set in '$offset'.
Of course shmop.so needs to be loaded as module or embedded in php bins.:)
Solution:
Update php to 5.0.3 or 4.3.10
Regards,
Stefano Di Paola
--
......---oOOo--------oOOo---......
Stefano Di Paola
Software Engineer
Email: stefano.dipaola_at_wisec.it
Email: stefano.dipaola1_at_tin.it
Web: www.wisec.it
..................................
[ reply ]