lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <7351b7a60605130932p37821fdewd62c989e06a359f0@mail.gmail.com>
Date: Sat May 13 17:33:07 2006
From: mrbabs at gmail.com (MR BABS)
Subject: [ADVISORY] Remote Integer Underflow PHP 4.3.4
	Vulnerability -BanSec Industries

Advisory for immediate release:

This vulnerability exists in the PHP Apache SPI POST parsing code:

code
PHP signed comparison vulnerability example
/* {{{ sapi_apache_read_post
  */
static int sapi_apache_read_post(char *buffer,
                                        uint count_bytes TSRMLS_DC)
{
      uint total_read_bytes=0, read_bytes;
      request_rec *r = (request_rec *) SG(server_context);
      void (*handler)(int);
      /*
       * This handles the situation where the browser sends a Expect:
       * 100-continue header
       * and needs to recieve confirmation from the server on whether
       * or not it can send
       * the rest of the request. RFC 2616
       *
       */
      if (!SG(read_post_bytes) && !ap_should_client_block(r)) {
           return total_read_bytes;
      }
      handler = signal(SIGPIPE, SIG_IGN);
      while (total_read_bytes<count_bytes) {
           /* start timeout timer */
           hard_timeout("Read POST information", r);
           read_bytes = get_client_block(r, buffer+total_read_bytes,
                                              count_bytes-total_read_bytes);
           reset_timeout(r);
           if (read_bytes<=0) {
                break;
           }
           total_read_bytes += read_bytes;
      }
      signal(SIGPIPE, handler);
      return total_read_bytes;
}
/code

It is possible to make read_bytes negative and not trigger the conditional
statement 'if (read_bytes<=0)'. This is possible because read_bytes is an
unsigned integer.... as get_client_block can be made to return
a negative value. Correct exploitation of this vulnerability can result in
the execution of arbitrary code, BanSec Industries has sucessfully
constructed
an exploit for this vulnerability, and as such are offering it for $20,000
USD.

We have already provided the blackhats with a working exploit however we've
also provided them with our new BanKit, a kernel mode linux rootkit, so you
won't notice you've been hacked.

Have a nice day,

Bob

BanCert, CISSP
(PHP Devs suck at spelling, by the way.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060513/57b2117c/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ