Bug 141136
| Summary: | CAN-2004-1018 Multiple issues in PHP (CAN-2004-1019 CAN-2004-1020) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | Josh Bressers <bressers> |
| Component: | php | Assignee: | Joe Orton <jorton> |
| Status: | CLOSED ERRATA | QA Contact: | David Lawrence <dkl> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.0 | CC: | ezannoni, jturner |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | impact=important,public=20041215 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-02-15 09:23:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 142822 | ||
|
Description
Josh Bressers
2004-11-29 16:00:02 UTC
Here are the additional issues.
[06] etx/standard/var_unserializer.c
etx/standard/var_unserializer.re - negative reference index array
underflow
A negative index in a reference could leak to exploitable memory
corruption. (NOTE: phpBB2 which is very famous uses unserialize on value
of COOKIE, so this is remote exploitable)
http://cvs.php.net/diff.php/php-src/ext/standard/var_unserializer.c?r1=1.18.4.11&r2=1.18.4.12&ty=h
Credits: Stefan Esser
[07] etx/standard/var_unserializer.c
etx/standard/var_unserializer.re - reference to already freed array
element
A reference to an already freed zvalue can lead to my special friend:
controlling a ZendHashTable incl. its destructor pointer. Due to the
Zend Memory Cache it is easy to create a string that when unserialize is
performed on it will result in cross platform jumping to a specifix EIP.
(NOTE: phpBB2 is more or less easily exploitable with this, PoC exists)
http://cvs.php.net/diff.php/php-src/ext/standard/var_unserializer.re?f=&r1=0&tr1=1.11.4.6&ty=h&r2=0&tr2=1.11.4.8
Credits: Stefan Esser
[08] TSRM/tsrm_virtual_cwd.c - virtual_popen() safe_mode_exec_dir bypass
When PHP is running multithreaded (f.e. multithreaded apache2,
roxen-zts, ...) popen() automaticly gets a "cd CURRENTDIR ; " prepended.
This happens directly before execution and after all checks. This means
a script could create a directory with shellcommands in its name and
execute them. Even if safe_mode_exec_dir is set to something like
"/wont/ever/execute/anything/because/this/dir/does/not/exist"
http://cvs.php.net/diff.php/TSRM/tsrm_virtual_cwd.c?r1=1.41.2.7&r2=1.41.2.8&ty=h
Credits: Stefan Esser
[09] TSRM/tsrm_virtual_cwd.c - virtual_file_ex() does not protect itself
against malfunctional realpah()
In some realpath() implementations (f.e. FreeBSD and OpenBSD (until a
few days ago)) truncate the input string at MAXPATHLEN-1 bytes. This
means if someone tries to do (with %00 properly escaped)
include "modules/$modulname/bla.inc.php";
it is possible on these platforms to make $modulname very long so that
realpath() automaticly cuts away the unwanted stuff in the end.
[10] main/safe_mode.c - Overlong filename fools security checks
I already mailed vendor-sec in May about the mad differences in
realpath() on all those systems. glibc allows f.e.
"/etc/hosts/../passwd" and allows overlong input filenames.
Combined with the fact that the safe_mode checks strlcpy()s the filename
into a buffer of the length MAXPATHLEN it is possible to do something like
include "$LONG_PATH_THAT_I_AM_ALLOWED_TO_INCLUDE/../../../../etc/passwd"
safe_mode checks will say: okay you can include the file, because it's
name is truncated before the /../ start and then later the complete path
is taken for inclusion.
http://cvs.php.net/diff.php/php-src/main/safe_mode.c?r1=1.51.2.4&r2=1.51.2.5&ty=h
[11] ext/exif/exif.c - exif_read_data() overflow on long sectionname
Imagefile containing malicious exif data can trigger stack overflow.
http://cvs.php.net/diff.php/php-src/ext/exif/exif.c?r1=1.118.2.28&r2=1.118.2.29&ty=h
Credits: Ilia Alshanetsky
I forgot the CVE id's in my previous post. = CAN-2004-1019 [06] etx/standard/var_unserializer.c etx/standard/var_unserializer.re - negative reference index array underflow = CAN-2004-1019 [07] etx/standard/var_unserializer.c etx/standard/var_unserializer.re - reference to already freed array element = CAN-2004-1063 (Arbitrary command execution) [08] TSRM/tsrm_virtual_cwd.c - virtual_popen() safe_mode_exec_dir bypass = CAN-2004-1064 (arbitrary file access through path truncation) [09] TSRM/tsrm_virtual_cwd.c - virtual_file_ex() does not protect itself against malfunctional realpah() = CAN-2004-1064 (arbitrary file access through path truncation) [10] main/safe_mode.c - Overlong filename fools security checks = CAN-2004-1065 (Stack overflow) [11] ext/exif/exif.c - exif_read_data() overflow on long sectionname *** Bug 144259 has been marked as a duplicate of this bug. *** An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-032.html |