PHP _SESSION Deserialization Overwrite Vulnerability

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1052980 漏洞类型
发布时间 2007-04-01 更新时间 2007-04-01
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2007040010
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
When register_globals is activated the deserialization of the session data can overwrite any global variable, including the _SESSION array. Because of its special implementation this can result in arbitrary code execution.

Detailed information

The summary says it all. For further clarification test the exploit.
Proof of concept, exploit or instructions to reproduce

The attached proof of concept code uses the substr_compare() information leak vulnerability to determine the offset to the shellcode and to a writeable address containing a NULL pointer. It then uses the described vulnerability to overwrite the _SESSION array with a fake Hashtable and trigger code execution.
Notes

Under normal situations this vulnerability can only be exploited locally. However it might be possible for a remote attacker to use an application vulnerability to inject a session data file onto the server. Many applications already contained holes like this.

Through this vulnerability it is possible to execute arbitrary code on servers running such applications. The Suhosin Extension will protect you from this kind of attack in the default config, because session data is encrypted on the server and cannot be easily modified.

SecurityReason Note :
Exploit - http://securityreason.com/exploitalert/2220