Stefan Esser's month of PHP bugs project is off and running with details on three unpatched vulnerabilities that could lead to program crashes and possible code execution attacks.
The first batch of flaws published on the project home page covers two recursion stack overflows and a reference counter overflow. These can lead to remotely triggable crashes, Esser warned.
Exploit code for one of the bugs has also been released.
The first three advisories cover:
* PHP Variable Destructor Deep Recursion Stack Overflow -- One of the problems in PHP is that it does not enforce any kind of sanity checks for the depth of nested arrays and because the variable registration is done in a iterative way it will accept any depth until the memory_limit is reached. Unfortunately the destruction of PHP arrays is done in a recursive way and therefore it can crash when the stack limit is exhausted. An attacker can use this fact to let PHP crash in a more or less controlled way. It is trivial to let it crash on script startup or at the end of the request.
* PHP Executor Deep Recursion Stack Overflow -- PHP does not protect against deep recursions. Whenever a PHP application goes into a very deep recursion it will crash when it runs out of stack. There are many PHP applications out there that can be forced into a deep recursion. When PHP crashs, many webservers will not log the request parameters, but only the crash and secondly a crash will kill all other threads of a multithreaded webserver.
* PHP 4 Userland ZVAL Reference Counter Overflow Vulnerability -- This is a PHP 4 security vulnerability that exploits a problem known for many years among the PHP developers. When a PHP application is run in PHP 4 it can overflow the variable reference counter because it is only 16 bit wide. Whenever this happens it will result in a double destruction of the underlying variable. A local attacker can easily create PHP code that uses such a double destruction to execute arbitrary code within the process executing PHP (e.g. webserver process). This allows bypassing restrictions enforced by disable_functions, open_basedir, SAFE_MODE or to launch direct local root exploits against the target system. See proof-of-concept exploit.