PHP shmop.c module permits write of arbitrary memory.

From: Stefano Di Paola (stefano.dipaola_at_wisec.it)
Date: 12/19/04

  • Next message: Trustix Security Advisor: "TSLSA-2004-0068 - kernel" 
    To: Bugtraq <bugtraq@securityfocus.com>
Date: Sun, 19 Dec 2004 19:40:54 +0100

    Hi list-eners,

    ==========================================================
    Title: Php shmop write of arbitrary memory - Safe Mode Bypass
    Affected: Php <= 5.0.2 & 4.3.9 if shmop module is loaded.
    Vulnerability Type: Input Validation - write of arbitrary memory

    ==Summary
    Shared Memory PHP Module has a memory leak when shmop_write function
    checks for offset bounds.
    This flaw could lead to bypass Safe Mode and other bad things.

    ==Description

    shmop.c in PHP_FUNCTION(shmop_write)
    function does not check if the 'offset' value is negative,
    so it is possible to overwrite arbitrary memory with:

     memcpy(shmop->addr + offset, data, writesize);

    this, in particular can be used to set safe_mode to off.
    Attached there's a Proof of concept for this vuln.
    It needs some gdb debugging or print the address of core_globals.safe_mode
    and some try to get the right distance to set in '$offset'.
    Of course shmop.so needs to be loaded as module or embedded in php bins.:)

    Solution:
    Update php to 5.0.3 or 4.3.10

    Regards,
    Stefano Di Paola 

    -- 
......---oOOo--------oOOo---......
Stefano Di Paola
Software Engineer
Email: stefano.dipaola_at_wisec.it
Email: stefano.dipaola1_at_tin.it
Web: www.wisec.it
..................................

  • Next message: Trustix Security Advisor: "TSLSA-2004-0068 - kernel"