Full Disclosure mailing list archives
[ADVISORY] Remote Integer Underflow PHP 4.3.4 Vulnerability -BanSec Industries
From: "MR BABS" <mrbabs () gmail com>
Date: Sat, 13 May 2006 12:32:57 -0400
Advisory for immediate release: This vulnerability exists in the PHP Apache SPI POST parsing code: code PHP signed comparison vulnerability example /* {{{ sapi_apache_read_post */ static int sapi_apache_read_post(char *buffer, uint count_bytes TSRMLS_DC) { uint total_read_bytes=0, read_bytes; request_rec *r = (request_rec *) SG(server_context); void (*handler)(int); /* * This handles the situation where the browser sends a Expect: * 100-continue header * and needs to recieve confirmation from the server on whether * or not it can send * the rest of the request. RFC 2616 * */ if (!SG(read_post_bytes) && !ap_should_client_block(r)) { return total_read_bytes; } handler = signal(SIGPIPE, SIG_IGN); while (total_read_bytes<count_bytes) { /* start timeout timer */ hard_timeout("Read POST information", r); read_bytes = get_client_block(r, buffer+total_read_bytes, count_bytes-total_read_bytes); reset_timeout(r); if (read_bytes<=0) { break; } total_read_bytes += read_bytes; } signal(SIGPIPE, handler); return total_read_bytes; } /code It is possible to make read_bytes negative and not trigger the conditional statement 'if (read_bytes<=0)'. This is possible because read_bytes is an unsigned integer.... as get_client_block can be made to return a negative value. Correct exploitation of this vulnerability can result in the execution of arbitrary code, BanSec Industries has sucessfully constructed an exploit for this vulnerability, and as such are offering it for $20,000 USD. We have already provided the blackhats with a working exploit however we've also provided them with our new BanKit, a kernel mode linux rootkit, so you won't notice you've been hacked. Have a nice day, Bob BanCert, CISSP (PHP Devs suck at spelling, by the way.)
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [ADVISORY] Remote Integer Underflow PHP 4.3.4 Vulnerability -BanSec Industries MR BABS (May 13)
- Re: [ADVISORY] Remote Integer Underflow PHP 4.3.4 Vulnerability -BanSec Industries Matthew Murphy (May 13)