exploit the possibilities

PHP 4.2.0 / 4.2.1 Remote Compromise / Denial Of Service

PHP 4.2.0 / 4.2.1 Remote Compromise / Denial Of Service
Posted Oct 27, 2017
Authored by Stefan Esser

PHP versions 4.2.0 and 4.2.1 suffer from an issue where depending on the processor architecture it may be possible for a remote attacker to either crash or compromise the web server.

tags | advisory, remote, web, denial of service, php
MD5 | e966da86f2a1eebadb8468cec478394a

PHP 4.2.0 / 4.2.1 Remote Compromise / Denial Of Service

Change Mirror Download
                           e-matters GmbH
www.e-matters.de

-= Security Advisory =-



Advisory: Remote Compromise/DOS Vulnerability in PHP
Release Date: 2002/07/22
Last Modified: 2002/07/22
Author: Stefan Esser [s.esser@e-matters.de]

Application: PHP 4.2.0, 4.2.1
Severity: A vulnerability within the multipart/form-data handler
could allow remote compromise of the web server.
Risk: Critical
Vendor Status: Patches Released.
Reference: http://security.e-matters.de/advisories/022002.html



Overview:

We have discovered a serious vulnerability within the default version
of PHP. Depending on the processor architecture it may be possible for a
remote attacker to either crash or compromise the web server.


Details:

PHP 4.2.0 introduced a completely rewritten multipart/form-data POST
handler. While I was working on the code in my role as PHP developer
i found a bug within the way the mime headers are processed.
A malformed POST request can trigger an error condition, that is not
correctly handled. Due to this bug it could happen that an uninit-
ialised struct gets appended to the linked list of mime headers.
When the lists gets cleaned or destroyed PHP tries to free the pointers
that are expected in the struct. Because of the lack of initialisation
those pointers contain stuff that was left on the stack by previous
function calls.

On the IA32 architecture (aka. x86) it is not possible to control what
will end up in the uninitialised struct because of the stack layout. All
possible code paths leave illegal addresses within the struct and PHP
will crash when it tries to free them.

Unfortunately the situation is absolutely different if you look on a
solaris sparc installation. Here it is possible for an attacker to free
chunks of memory that are full under his control. This is most probably
the case for several more non IA32 architectures.

Please note that exploitability is not only limited to systems that are
running malloc()/free() implementations that are known to be vulnerable
to control structure overwrites. This is because the internal PHP memory
managment implements its own linked list system that can be used to
overwrite nearly arbitrary memory addresses.


Proof of Concept:

e-matters is not going to release the exploit for this vulnerability to
the public.


Vendor Response:

22th July 2002 - An updated version of PHP which fixes this
vulnerability was released and can be downloaded at:

http://www.php.net/downloads.php

The vendor announcement is available at:

http://www.php.net/release_4_2_2.php


Recommendation:

If you are running PHP 4.2.x you should upgrade as soon as possible,
especially if your server runs on a non IA32 CPU. If you cannot upgrade
for whatever reason the only way to workaround this, is to disable all
kinds of POST requests on your server.


GPG-Key:

http://security.e-matters.de/gpg_key.asc

pub 1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam
Key fingerprint = 43DD 843C FAB9 832A E5AB CAEB 81F2 8110 75E7 AAD6


Copyright 2002 Stefan Esser. All rights reserved.



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    1 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    12 Files
  • 13
    Feb 13th
    18 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    15 Files
  • 19
    Feb 19th
    19 Files
  • 20
    Feb 20th
    20 Files
  • 21
    Feb 21st
    15 Files
  • 22
    Feb 22nd
    2 Files
  • 23
    Feb 23rd
    2 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close