Re: [Full-disclosure] PHP: Calendar Buffer Overflow

From: Martin Pitt (martin.pitt_at_canonical.com)
Date: 06/28/05

  • Next message: Reed Arvin: "[Full-disclosure] Multiple buffer overflows exist in Infradig Systems Inframail Advantage Server Edition 6.0" 
    Date: Tue, 28 Jun 2005 10:02:28 +0200
To: full-disclosure@lists.grok.org.uk

    Hi!

    FistFucker [2005-06-27 7:02 +0200]:
    >There are some nice sprintf()'s in "\ext\calendar\calendar.c":
    >'sprintf(date, "%i/%i/%i", month, day, year);'
    >
    >Example exploitation (4.3.11):
    >
    >
    ><?php
    >
    > JDToGregorian(999999999);
    >
    >?>

    Interesting that this works on Windows. I took a look at the code:

    PHP_FUNCTION(jdtogregorian)
    {
        pval **julday;
        int year, month, day;
        char date[10];
        [...]
        sprintf(date, "%i/%i/%i", month, day, year);

        RETURN_STRING(date, 1);
    }

    The biggest string length I could get is 15 characters. That would
    merely overflow into the "year, month, day" integers, but not even
    close to the function's return address.

    Of course that is a bug that should be fixed in CVS head, but I think
    it's not exploitable, so it does not require a security update as far
    as I can see.

    Thanks for the report,

    Martin 

    -- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: Reed Arvin: "[Full-disclosure] Multiple buffer overflows exist in Infradig Systems Inframail Advantage Server Edition 6.0"