lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <41C0C984.6080400@php.net>
Date: Thu, 16 Dec 2004 00:32:20 +0100
From: Stefan Esser <sesser@....net>
To: Martin Eiszner <martin@...sec.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: php unserialize


Dear Martin,

you were already told in November that the bugs you reported were known 
and fixed over 3 month ago in the PHP-CVS.

 From your advisory it is obvious that you have not analysed the 
vulnerability you describe at all:

>1) Memory Corruption / buffer overflow
>======================================
>DESCRIPTION:
>Insufficient input validation of serialized strings lead to memory corruption and information disclosre.
>
>EXAMPLE script - "Segfault":
>---cut here---
><?
>$s = 's:9999999:"A";"';
>$a = unserialize($s);
>print $a;
>?>
>---cut here---
>  
>
This example clearly shows that you have no clue about what is going on. 
The bug in the unserializer is, that it tries to copy the next 9999999 
Bytes (starting with the 'A') into a properly allocated memory block. 
Unfourtunately this will crash because it will try to read unpaged 
memory areas. There is no bufferoverflow and no memory corruption in 
your example.

>REMARKS:
>leads to arbitrary code execution and file/information disclosure.
>  
>
How does reading unpaged memory lead to arbitrary code execution?

>=========================================================================================================================
>FOR SOME STRANGE REASONS HARDENED-PHP.NET HAS RELEASED THIS ADVISORY TODAY TOGETHER WITH A BUNCH OF OTHER VULNERABILITIES
>==========================================================================================================================
>  
>
Hardened-PHP has released an advisory about bugs in unserialize(). But 
the reported vulnerabilities are totally different from the stuff "you 
have found".
The Hardened-PHP advisory does NOT cover the unserialize() 
vulnerabilities fixed about 3 month ago by Markus Boerger, because they 
were NOT found by me.
And yeah some of the bugs Marcus fixed can lead to arbitrary code 
execution. (But the exploit will be a lot more unstable than an exploit 
for my buf [07])

Greetings
Stefan Esser


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ