Re: php unserialize

From: Stefan Esser (sesser_at_php.net)
Date: 12/16/04

  • Next message: Gerald Carter: "[SAMBA] CAN-2004-1154 : Integer overflow could lead to remote code execution in Samba 2.x, 3.0.x <= 3.0.9"
    Date: Thu, 16 Dec 2004 00:32:20 +0100
    To: Martin Eiszner <martin@websec.org>
    
    

    Dear Martin,

    you were already told in November that the bugs you reported were known
    and fixed over 3 month ago in the PHP-CVS.

     From your advisory it is obvious that you have not analysed the
    vulnerability you describe at all:

    >1) Memory Corruption / buffer overflow
    >======================================
    >DESCRIPTION:
    >Insufficient input validation of serialized strings lead to memory corruption and information disclosre.
    >
    >EXAMPLE script - "Segfault":
    >---cut here---
    ><?
    >$s = 's:9999999:"A";"';
    >$a = unserialize($s);
    >print $a;
    >?>
    >---cut here---
    >
    >
    This example clearly shows that you have no clue about what is going on.
    The bug in the unserializer is, that it tries to copy the next 9999999
    Bytes (starting with the 'A') into a properly allocated memory block.
    Unfourtunately this will crash because it will try to read unpaged
    memory areas. There is no bufferoverflow and no memory corruption in
    your example.

    >REMARKS:
    >leads to arbitrary code execution and file/information disclosure.
    >
    >
    How does reading unpaged memory lead to arbitrary code execution?

    >=========================================================================================================================
    >FOR SOME STRANGE REASONS HARDENED-PHP.NET HAS RELEASED THIS ADVISORY TODAY TOGETHER WITH A BUNCH OF OTHER VULNERABILITIES
    >==========================================================================================================================
    >
    >
    Hardened-PHP has released an advisory about bugs in unserialize(). But
    the reported vulnerabilities are totally different from the stuff "you
    have found".
    The Hardened-PHP advisory does NOT cover the unserialize()
    vulnerabilities fixed about 3 month ago by Markus Boerger, because they
    were NOT found by me.
    And yeah some of the bugs Marcus fixed can lead to arbitrary code
    execution. (But the exploit will be a lot more unstable than an exploit
    for my buf [07])

    Greetings
    Stefan Esser


  • Next message: Gerald Carter: "[SAMBA] CAN-2004-1154 : Integer overflow could lead to remote code execution in Samba 2.x, 3.0.x <= 3.0.9"

    Relevant Pages

    • Re: Alternatives to C: ObjectPascal, Eiffel, Ada or Modula-3?
      ... pretty much have memory bugs, ... The language doesn't force this, but nevertheless it is fundamental to ... has a significant problem with destructor cleanup. ...
      (comp.programming)
    • Re: A Scientific Approach to Spell Memorization
      ... memory works than most folks realize. ... The "Bugs ... with participants swearing that they ... someone if they'd seen Bugs at Disney when you'd just made them look ...
      (rec.games.frp.dnd)
    • Re: [Lit.] Buffer overruns
      ... >> Such bugs can lead to security vulnerabilities. ... Is there some clever ... > memory hardware. ... Design so it won't happen. ...
      (sci.crypt)
    • Re: GC.Collect can be trusted?
      ... subtle application bugs or race conditions, ... Can you please confirm to me that with the GC working well, any memory leaks that occur while the application is running leave no "footprint" in memory when the application is closed? ... Finalization, how the Managed Heap works, and other related ... Object Resurrection, the differences between the Worksation and ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: Why INVARIANTS option and sanity checking?
      ... including INVARIANTS, WITNESS, SOCKBUF_DEBUG, etc. ... > other zones and memory areas need't? ... allowing some state to be reused across allocations. ... it is a ripe opportunity for nasty bugs -- things like ...
      (freebsd-current)