Re: [PHP-DEV] How does the PHP Ghost one-liner work?
Hi! does this indicate any problems with PHP? No. That said, it may make sense to put a cap on gethostbyname() argument as a public service, if we can find a good limit. IIRC, there are limits on both FQDN and hostname component lengths, so if we check for these limits, we may add protection for people that for unexplicable reasons upgrade their PHP but not their glibc. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] How does the PHP Ghost one-liner work?
On 30/01/2015 18:42, Robert Williams wrote: % php -r '$e=0;for($i=0;$i2500;$i++){$e=0$e;} gethostbyname($e);’ What’s not being discussed is how it works. From the naive viewpoint of a PHP end-user, I’d expect this one-liner to have the same effect: % php -r '$e=0$e; gethostbyname($e);’ But it doesn’t. Can someone familiar with PHP’s internals explain why this code triggers the overflow, and whether it will actually do so reliably? No need to be familiar with the internals, you just need to unroll the loop properly in your head: initialise: $e = 0; = 0 $i=0: $e = 0$e; = 0 . 0 = 00 $i=1: $e = 0$e; = 0 . 00 = 000 and so on until you have 2501 zeroes when $i=2499 As Patrick points out, this is a really weird way of initialising that variable, and is presumably translated from another language by someone who doesn't know PHP. -- Rowan Collins [IMSoP] -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] How does the PHP Ghost one-liner work?
On 30 January 2015 at 19:05, Patrick Schaaf p...@bof.de wrote: Am 30.01.2015 19:43 schrieb Robert Williams rewilli...@thesba.com: % php -r '$e=0;for($i=0;$i2500;$i++){$e=0$e;} gethostbyname($e);’ What a funny way to say gethostbyname(str_repeat(0, 2501)); does this indicate any problems with PHP? No. best regards Patrick Well, I guess in theory we should be limiting the size of input to gethostbyname to 255 characters. http://tools.ietf.org/html/rfc1035#section-2.3.4 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] How does the PHP Ghost one-liner work
Am 30.01.2015 20:09 schrieb Leigh lei...@gmail.com: Well, I guess in theory we should be limiting the size of input to gethostbyname to 255 characters. Yeah, but in theory the C library gethostbyname() should do the same... There will be a lot of things that could be checked up-front instead of relying on the C layer stuff to do its work. Do you want to pre-examine pathnames regarding maximum path name lengths? Check the fopen mode parameter for posixly valid content? There's a zillion ways libc might be vulnerable. And any such up-front in PHP check might then be blessed with exploitable bugs itself... best regards Patrick
Re: [PHP-DEV] How does the PHP Ghost one-liner work?
On Jan 30, 2015, at 12:05, Patrick Schaaf p...@bof.demailto:p...@bof.de wrote: % php -r '$e=0;for($i=0;$i2500;$i++){$e=0$e;} gethostbyname($e);’ What a funny way to say gethostbyname(str_repeat(0, 2501)); Wow, I somehow missed the interpolation of $e into the value… self-slap. Guess I was too focused on looking to the loop as the important part when really, it’s just stupid code, as you point out, probably written by someone who knows little about PHP. With that in mind, there is obviously no unintended side-effect at work here. Sorry for wasting everyone’s time… as you were. -- Bob Williams Business Unit Information Officer and Senior Vice President of Software Development Newtek Business Services Corp. (602) 263-0300 x12458 | http://www.thesba.com/ Notice: This communication, including attachments, may contain information that is confidential. It constitutes non-public information intended to be conveyed only to the designated recipient(s). If the reader or recipient of this communication is not the intended recipient, an employee or agent of the intended recipient who is responsible for delivering it to the intended recipient, or if you believe that you have received this communication in error, please notify the sender immediately by return e-mail and promptly delete this e-mail, including attachments without reading or saving them in any manner. The unauthorized use, dissemination, distribution, or reproduction of this e-mail, including attachments, is prohibited and may be unlawful. If you have received this email in error, please notify us immediately by e-mail or telephone and delete the e-mail and the attachments (if any).
Re: [PHP-DEV] How does the PHP Ghost one-liner work?
Am 30.01.2015 19:43 schrieb Robert Williams rewilli...@thesba.com: % php -r '$e=0;for($i=0;$i2500;$i++){$e=0$e;} gethostbyname($e);’ What a funny way to say gethostbyname(str_repeat(0, 2501)); does this indicate any problems with PHP? No. best regards Patrick