Bugtraq mailing list archives

PHP LiteSpeed SAPI out of boundaries read due to missing input validation

From: Imre RAD <imre.rad () search-lab hu>
Date: Mon, 25 Jan 2016 17:04:01 +0100

The LiteSpeed SAPI module in PHP did not sanitize several fields of the
LSAPI request correctly. In the source file sapi/litespeed/lsapilib.c,
the parseRequest function calculated addresses of thesevariables in the
following way:

    pReq->m_pScriptFile     = pReq->m_pReqBuf +
pReq->m_pHeader->m_scriptFileOff;
    pReq->m_pScriptName     = pReq->m_pReqBuf +
pReq->m_pHeader->m_scriptNameOff;
    pReq->m_pQueryString    = pReq->m_pReqBuf +
pReq->m_pHeader->m_queryStringOff;
    pReq->m_pRequestMethod  = pReq->m_pReqBuf +
pReq->m_pHeader->m_requestMethodOff;

These variables were then exported, so they become available in PHP code
through the $_SERVER array.
These offset fields (eg. m_scriptFileOff) of the header were not
validated at all, so a segmentation fault occured in the SAPI process
after it received an invalid value.

Access to the SAPI socket is a prerequisite of the attack.


The fix is available with the commit:
https://github.com/php/php-src/commit/08080c18f5f3700af6242a338a2698502207ed45
The fixed versions of PHP are: 5.5.31, 5.6.17 and 7.0.2.

Imre Rad
Search-Lab Ltd.
http://www.search-lab.hu/
http://www.scademy.com/

Current thread:

PHP LiteSpeed SAPI out of boundaries read due to missing input validation Imre RAD (Jan 26)