For example to get around non-executable HEAP situation you first need to poke the right offsets in memory to "reenable" the dl() function (NOT possible with plain PHP code), find some writeable diskspace, dump a shared library there and load it. From there you can execute whatever kernel exploit
Why so much trouble - if you can do that, you certainly can do simple exec...
you want, to get for example out of the chroot, to disable SELINUX...
If you can do that from PHP, these functions essentially would be completely useless since then you can do it from any other program (like vulnerable ftpd or smtpd or named) and the whole reason for their existence is to protect exactly against that.
And here is the problem with the OS hardening argument of the PHP developers. OS hardening is useless if I can use exploits in PHP to simply disable/get around this hardening.
OS hardening is useless if you can use anything in any user-level program to break it, correct. However, I don't think it's that easy to break OS as you make it sound to be, and in any case PHP is not really meant to be a fix for insecure OS. If you have an insecure OS, you are in a deep it anyway, so relying on PHP for help is just denying the reality.
-- Stanislav Malyshev, Zend Products Engineer [EMAIL PROTECTED] http://www.zend.com/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
