oss-sec mailing list archives
Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption
From: Stanislav Malyshev <smalyshev () gmail com>
Date: Mon, 18 May 2015 15:43:54 -0700
Hi!
About code execution, I haven't had the chance to focus on actual exploitation yet (I surely will in the near future), but as you can see from the original report (https://bugs.php.net/bug.php?id=69403), I pointed out several cases in which working on a so-crafted zval would lead to invalid memory access (with user controlled values as well), so I am pretty confident it is achievable.
These examples all seem to require specific code (like 'md5(str_repeat("a", 4294967294-1));') to be run. The probability that applications would contain this specific code with str_repeat argument controlled by remote user seems to be pretty low. However, if you can show exploiting this on a code of an application that is not specially crafted to demonstrate this issue, or at least resembles code that is likely to be deployed in a real application, I will gladly change my opinion. -- Stas Malyshev smalyshev () gmail com
Current thread:
- CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Andrea Palazzo (May 18)
- Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Stanislav Malyshev (May 18)
- Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Andrea Palazzo (May 18)
- Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Stanislav Malyshev (May 18)
- Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Andrea Palazzo (May 19)
- Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Stanislav Malyshev (May 19)
- Re: Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Dennis (May 19)
- Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Andrea Palazzo (May 18)
- Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Stanislav Malyshev (May 18)