PHP ZendEngine ECalloc函数整数溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111198 漏洞类型 代码注入
发布时间 2006-10-05 更新时间 2007-01-25
CVE编号 CVE-2006-4812 CNNVD-ID CNNVD-200610-139
漏洞平台 PHP CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/28760
https://www.securityfocus.com/bid/20349
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-139
|漏洞详情
PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。PHP内存处理例程_ecalloc函数中存在整数溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行指令。如果脚本能够导致基于不可信任用户数据的内存分配的话,远程攻击者就可以通过发送特制的请求导致以apache用户的权限执行任意指令。
|漏洞EXP
source: http://www.securityfocus.com/bid/20349/info

PHP is prone to an integer-overflow vulnerability because the application fails to do proper bounds checking on user-supplied data.

An attacker can exploit this vulnerability to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely cause denial-of-service conditions.

<?

 print_r(unserialize('a:1073741823:{i:0;s:30:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"}'));
?>

in function zend_hash_init() int overflow ( ecalloc() )-> heap overflow
here segfault in zend_hash_find() but it's possible to fake the bucket and
exploit a zend_hash_del_index_or_key
i tried a memory dump , just fake the bucked with the pointer of the
$GLOBALS's bucket but segfault before in memory_shutdown...
|受影响的产品
Ubuntu Ubuntu Linux 5.10 sparc Ubuntu Ubuntu Linux 5.10 powerpc Ubuntu Ubuntu Linux 5.10 i386 Ubuntu Ubuntu Linux 5.10 amd64 Ubuntu Ubuntu Linux 5.0 4 powerpc Ubuntu Ubuntu
|参考资料

来源:www.hardened-php.net
链接:http://www.hardened-php.net/files/CVE-2006-4812.patch
来源:VUPEN
名称:ADV-2006-3922
链接:http://www.frsirt.com/english/advisories/2006/3922
来源:SECTRACK
名称:1016984
链接:http://securitytracker.com/id?1016984
来源:SECUNIA
名称:22280
链接:http://secunia.com/advisories/22280
来源:REDHAT
名称:RHSA-2006:0708
链接:http://rhn.redhat.com/errata/RHSA-2006-0708.html
来源:XF
名称:php-ecalloc-integer-overflow(29362)
链接:http://xforce.iss.net/xforce/xfdb/29362
来源:UBUNTU
名称:USN-362-1
链接:http://www.ubuntu.com/usn/usn-362-1
来源:TRUSTIX
名称:2006-0055
链接:http://www.trustix.org/errata/2006/0055
来源:BID
名称:20349
链接:http://www.securityfocus.com/bid/20349
来源:OPENPKG
名称:OpenPKG-SA-2006.023
链接:http://www.securityfocus.com/archive/1/archive/1/448953/100/0/threaded
来源:BUGTRAQ
名称:20061009Advisory09/2006:PHPunserialize()ArrayCreationIntegerOverflow
链接:http://www.securityfocus.com/archive/1/archive/1/448014/100/0/threaded
来源:MISC
链接:http://www.hardened-php.net/advisory_092006.133.html
来源:GENTOO
名称:GLSA-200610-14
链接: