PHP Integer Overflow in socket_iovec_alloc() May Let Remote Users Execute Code in Certain Cases
|
|
SecurityTracker Alert ID: 1006373
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 25 2003
|
Impact: Denial of service via network, Execution of arbitrary code via network
|
Exploit Included: Yes
|
Advisory: Mordred Security Labs
|
Version(s): prior to 4.3.2
|
Description: An integer overflow vulnerability was reported in PHP's socket support. A remote user may be able to cause an application that uses PHP socket communications to crash or execute arbitrary code.
Mordred Security Labs reported that when PHP is compiled with the '--enable-sockets' option, a remote user may be able to trigger
an integer overflow in the socket_iovec_alloc() function. This option is not a default option, according to the advisory.
A
demonstration exploit script is provided:
$ cat t.php
<?php
socket_iovec_alloc(0x20000000);
?>
|
Impact: The specific impact depends on the application that uses the PHP socket extensions. A remote user may be able to cause the affected application to crash or potentially execute arbitrary code.
|
Solution: No solution was available at the time of this entry. According to the report, the vendor plans to fix this flaw in version 4.3.2.
|
Vendor URL: www.php.net/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Underlying OS Comments: Tested on Linux 2.4 with Apache 1.3.27 / PHP 4.3.1
|
Reported By: Sir Mordred <mordred@s-mail.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 25 Mar 2003 14:31:59 +0000
From: Sir Mordred <mordred@s-mail.com>
Subject: @(#)Mordred Labs advisory - Integer overflow in PHP socket_iovec_alloc() function
|
//@(#) Mordred Security Labs advisory
Release date: March 25, 2003
Name: Integer overflow in PHP socket_iovec_alloc() function
Versions affected: < 4.3.2
Conditions: PHP must be compiled with --enable-sockets option, which is
turned off by default
Risk: average
Author: Sir Mordred (mordred@s-mail.com)
I. Description:
PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
Please visit http://www.php.net for more information about PHP.
The PHP socket extension implements a low-level interface to the socket
communication functions based on the popular BSD sockets, providing the
possibility to act as a socket server as well as a client...
To enable this extenstion PHP should be compiled with --enable-sockets
option.
II. Details:
There exists an integer overflow in socket_iovec_alloc() function.
When requestiong the following php script, a httpd child will die with
the error message: child pid <pidnum> exit signal Segmentation fault (11)
$ cat t.php
<?php
socket_iovec_alloc(0x20000000);
?>
III. Platforms tested
Linux 2.4 with Apache 1.3.27 / PHP 4.3.1
III. Workaround
Don't use the sockets extension.
IV. Vendor response
Vendor notified, issue will be fixed in PHP 4.3.2.
________________________________________________________________________
This letter has been delivered unencrypted. We'd like to remind you that
the full protection of e-mail correspondence is provided by S-mail
encryption mechanisms if only both, Sender and Recipient use S-mail.
Register at S-mail.com: http://www.s-mail.com
|
|
