PHP php_binary Session Deserialization Information Leak Vulnerability

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1053023 漏洞类型
发布时间 2007-03-05 更新时间 2007-03-05
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2007030018
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
The PHP session extension comes with a serialization handler called 'php_binary' that is vulnerable to a heap information leak vulnerability. This security hole is the result of a missing boundary check and allows leaking up to 126 bytes following the serialized data into array keys of the session.

This can lead to the disclosure of sensitive information stored on the heap, like offsets (useful for further attacks), heap canaries, etc.

The php_binary session dataformat contains of one entry per serialized variable. Every entry starts with a one byte size field that contains the length of the variable name, followed by the name itself and the serialized data.

Unfortunately the extraction of the variable name happens without a boundary check and therefore an oversized length value will result in the name being read from outside the buffer. This leads to an up to 126 byte heap information leak.
Proof of concept, exploit or instructions to reproduce

The attached proof of concept exploit will leak the maximum of 126 bytes of heap data into PHP variables and produce a hexdump.

Heapdump
---------

00000000: 00 00 00 00 87 fe 60 e8 35 00 00 00 39 00 00 00 ......`.5...9...
00000010: 00 00 00 00 41 41 41 41 41 41 41 41 41 41 41 41 ....AAAAAAAAAAAA
00000020: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000030: 41 41 41 41 00 00 00 00 4b fe 60 e8 55 00 00 00 AAAA....K.`.U...
00000040: 35 00 00 00 89 68 25 50 25 00 00 00 a8 fd 91 b7 5....h%P%.......
00000050: a8 f2 91 b7 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060: 00 00 00 00 41 41 41 41 41 41 41 41 41 41 41 41 ....AAAAAAAAAAAA
00000070: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 .. AAAAAAAAAAAAAAA.

Notes

This is one of the many vulnerabilities of the MOPB that were previously disclosed by us to the vendor and is therefore fixed in their latest updates. We therefore recommend updating PHP atleast PHP 4.4.5 or PHP 5.2.1 to fix this issue. 

SecurityReason Note :
Exploit - http://securityreason.com/exploitalert/2056