lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <56A64771.5030809@search-lab.hu>
Date: Mon, 25 Jan 2016 17:04:01 +0100
From: Imre RAD <imre.rad@...rch-lab.hu>
To: bugtraq@...urityfocus.com
Subject: PHP LiteSpeed SAPI out of boundaries read due to missing input
 validation

The LiteSpeed SAPI module in PHP did not sanitize several fields of the
LSAPI request correctly. In the source file sapi/litespeed/lsapilib.c,
the parseRequest function calculated addresses of thesevariables in the
following way:

    pReq->m_pScriptFile     = pReq->m_pReqBuf +
pReq->m_pHeader->m_scriptFileOff;
    pReq->m_pScriptName     = pReq->m_pReqBuf +
pReq->m_pHeader->m_scriptNameOff;
    pReq->m_pQueryString    = pReq->m_pReqBuf +
pReq->m_pHeader->m_queryStringOff;
    pReq->m_pRequestMethod  = pReq->m_pReqBuf +
pReq->m_pHeader->m_requestMethodOff;

These variables were then exported, so they become available in PHP code
through the $_SERVER array.
These offset fields (eg. m_scriptFileOff) of the header were not
validated at all, so a segmentation fault occured in the SAPI process
after it received an invalid value.

Access to the SAPI socket is a prerequisite of the attack.


The fix is available with the commit:
https://github.com/php/php-src/commit/08080c18f5f3700af6242a338a2698502207ed45
The fixed versions of PHP are: 5.5.31, 5.6.17 and 7.0.2.

Imre Rad
Search-Lab Ltd.
http://www.search-lab.hu/
http://www.scademy.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ