Re: [PHP-DEV] How does the PHP Ghost one-liner work?
Hi! does this indicate any problems with PHP? No. That said, it may make sense to put a cap on gethostbyname() argument as a public service, if we can find a good limit. IIRC, there are limits on both FQDN and hostname component lengths, so if we check for these limits, we may add protection for people that for unexplicable reasons upgrade their PHP but not their glibc. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] How does the PHP Ghost one-liner work?
On 30/01/2015 18:42, Robert Williams wrote:
% php -r '$e=0;for($i=0;$i2500;$i++){$e=0$e;} gethostbyname($e);’
What’s not being discussed is how it works. From the naive viewpoint of a PHP
end-user, I’d expect this one-liner to have the same effect:
% php -r '$e=0$e; gethostbyname($e);’
But it doesn’t. Can someone familiar with PHP’s internals explain why this code
triggers the overflow, and whether it will actually do so reliably?
No need to be familiar with the internals, you just need to unroll the
loop properly in your head:
initialise: $e = 0; = 0
$i=0: $e = 0$e; = 0 . 0 = 00
$i=1: $e = 0$e; = 0 . 00 = 000
and so on until you have 2501 zeroes when $i=2499
As Patrick points out, this is a really weird way of initialising that
variable, and is presumably translated from another language by someone
who doesn't know PHP.
--
Rowan Collins
[IMSoP]
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] How does the PHP Ghost one-liner work?
On 30 January 2015 at 19:05, Patrick Schaaf p...@bof.de wrote:
Am 30.01.2015 19:43 schrieb Robert Williams rewilli...@thesba.com:
% php -r '$e=0;for($i=0;$i2500;$i++){$e=0$e;} gethostbyname($e);’
What a funny way to say gethostbyname(str_repeat(0, 2501));
does this indicate any problems with PHP?
No.
best regards
Patrick
Well, I guess in theory we should be limiting the size of input to
gethostbyname to 255 characters.
http://tools.ietf.org/html/rfc1035#section-2.3.4
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] How does the PHP Ghost one-liner work
Am 30.01.2015 20:09 schrieb Leigh lei...@gmail.com: Well, I guess in theory we should be limiting the size of input to gethostbyname to 255 characters. Yeah, but in theory the C library gethostbyname() should do the same... There will be a lot of things that could be checked up-front instead of relying on the C layer stuff to do its work. Do you want to pre-examine pathnames regarding maximum path name lengths? Check the fopen mode parameter for posixly valid content? There's a zillion ways libc might be vulnerable. And any such up-front in PHP check might then be blessed with exploitable bugs itself... best regards Patrick
Re: [PHP-DEV] How does the PHP Ghost one-liner work?
On Jan 30, 2015, at 12:05, Patrick Schaaf p...@bof.demailto:p...@bof.de
wrote:
% php -r '$e=0;for($i=0;$i2500;$i++){$e=0$e;} gethostbyname($e);’
What a funny way to say gethostbyname(str_repeat(0, 2501));
Wow, I somehow missed the interpolation of $e into the value… self-slap.
Guess I was too focused on looking to the loop as the important part when
really, it’s just stupid code, as you point out, probably written by someone
who knows little about PHP.
With that in mind, there is obviously no unintended side-effect at work here.
Sorry for wasting everyone’s time… as you were.
--
Bob Williams
Business Unit Information Officer and
Senior Vice President of Software Development
Newtek Business Services Corp.
(602) 263-0300 x12458 | http://www.thesba.com/
Notice: This communication, including attachments, may contain information that
is confidential. It constitutes non-public information intended to be conveyed
only to the designated recipient(s). If the reader or recipient of this
communication is not the intended recipient, an employee or agent of the
intended recipient who is responsible for delivering it to the intended
recipient, or if you believe that you have received this communication in
error, please notify the sender immediately by return e-mail and promptly
delete this e-mail, including attachments without reading or saving them in any
manner. The unauthorized use, dissemination, distribution, or reproduction of
this e-mail, including attachments, is prohibited and may be unlawful. If you
have received this email in error, please notify us immediately by e-mail or
telephone and delete the e-mail and the attachments (if any).
Re: [PHP-DEV] How does the PHP Ghost one-liner work?
Am 30.01.2015 19:43 schrieb Robert Williams rewilli...@thesba.com:
% php -r '$e=0;for($i=0;$i2500;$i++){$e=0$e;} gethostbyname($e);’
What a funny way to say gethostbyname(str_repeat(0, 2501));
does this indicate any problems with PHP?
No.
best regards
Patrick
