--- e-matters Security <[EMAIL PROTECTED]> wrote: > Date: Mon, 22 Jul 2002 13:21:28 +0200 > From: e-matters Security <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > CC: [EMAIL PROTECTED] > Subject: [VulnWatch] Advisory 02/2002: PHP remote > vulnerability > > e-matters GmbH > www.e-matters.de > > -= Security Advisory =- > > > > Advisory: Remote Compromise/DOS Vulnerability > in PHP > Release Date: 2002/07/22 > Last Modified: 2002/07/22 > Author: Stefan Esser [[EMAIL PROTECTED]] > > Application: PHP 4.2.0, 4.2.1 > Severity: A vulnerability within the > multipart/form-data handler > could allow remote compromise of the > web server. > Risk: Critical > Vendor Status: Patches Released. > Reference: > http://security.e-matters.de/advisories/022002.html > > > > Overview: > > We have discovered a serious vulnerability within > the default version > of PHP. Depending on the processor architecture > it may be possible for a > remote attacker to either crash or compromise the > web server. > > > Details: > > PHP 4.2.0 introduced a completely rewritten > multipart/form-data POST > handler. While I was working on the code in my > role as PHP developer > i found a bug within the way the mime headers are > processed. > A malformed POST request can trigger an error > condition, that is not > correctly handled. Due to this bug it could > happen that an uninit- > ialised struct gets appended to the linked list > of mime headers. > When the lists gets cleaned or destroyed PHP > tries to free the pointers > that are expected in the struct. Because of the > lack of initialisation > those pointers contain stuff that was left on the > stack by previous > function calls. > > On the IA32 architecture (aka. x86) it is not > possible to control what > will end up in the uninitialised struct because > of the stack layout. All > possible code paths leave illegal addresses > within the struct and PHP > will crash when it tries to free them. > > Unfortunately the situation is absolutely > different if you look on a > solaris sparc installation. Here it is possible > for an attacker to free > chunks of memory that are full under his control. > This is most probably > the case for several more non IA32 architectures. > > Please note that exploitability is not only > limited to systems that are > running malloc()/free() implementations that are > known to be vulnerable > to control structure overwrites. This is because > the internal PHP memory > managment implements its own linked list system > that can be used to > overwrite nearly arbitrary memory addresses. > > > Proof of Concept: > > e-matters is not going to release the exploit for > this vulnerability to > the public. > > > Vendor Response: > > 22th July 2002 - An updated version of PHP which > fixes this > vulnerability was released and > can be downloaded at: > > > http://www.php.net/downloads.php > > The vendor announcement is > available at: > > > http://www.php.net/release_4_2_2.php > > > Recommendation: > > If you are running PHP 4.2.x you should upgrade > as soon as possible, > especially if your server runs on a non IA32 CPU. > If you cannot upgrade > for whatever reason the only way to workaround > this, is to disable all > kinds of POST requests on your server. > > > GPG-Key: > > http://security.e-matters.de/gpg_key.asc > > pub 1024D/75E7AAD6 2002-02-26 e-matters GmbH - > Securityteam > Key fingerprint = 43DD 843C FAB9 832A E5AB CAEB > 81F2 8110 75E7 AAD6 > > > Copyright 2002 Stefan Esser. All rights reserved. > > >
__________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com ============================================================================ A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html ============================================================================
