Flaw trifecta kicks off Month of PHP bugs

Flaw trifecta kicks off Month of PHP bugs

Summary: Stefan Esser's month of PHP bugs project is off and running with details on three unpatched vulnerabilities that could lead to program crashes and possible code execution attacks. The first batch of flaws published on the project home page covers two recursion stack overflows and a reference counter overflow.

SHARE:
TOPICS: Security
1
Stefan Esser's month of PHP bugs project is off and running with details on three unpatched vulnerabilities that could lead to program crashes and possible code execution attacks.Month of PHP Bugs

The first batch of flaws published on the project home page covers two recursion stack overflows and a reference counter overflow. These can lead to remotely triggable crashes, Esser warned.

Exploit code for one of the bugs has also been released.

The first three advisories cover:

* PHP Variable Destructor Deep Recursion Stack Overflow -- One of the problems in PHP is that it does not enforce any kind of sanity checks for the depth of nested arrays and because the variable registration is done in a iterative way it will accept any depth until the memory_limit is reached. Unfortunately the destruction of PHP arrays is done in a recursive way and therefore it can crash when the stack limit is exhausted. An attacker can use this fact to let PHP crash in a more or less controlled way. It is trivial to let it crash on script startup or at the end of the request.

* PHP Executor Deep Recursion Stack Overflow -- PHP does not protect against deep recursions. Whenever a PHP application goes into a very deep recursion it will crash when it runs out of stack. There are many PHP applications out there that can be forced into a deep recursion. When PHP crashs, many webservers will not log the request parameters, but only the crash and secondly a crash will kill all other threads of a multithreaded webserver.

* PHP 4 Userland ZVAL Reference Counter Overflow Vulnerability -- This is a PHP 4 security vulnerability that exploits a problem known for many years among the PHP developers. When a PHP application is run in PHP 4 it can overflow the variable reference counter because it is only 16 bit wide. Whenever this happens it will result in a double destruction of the underlying variable. A local attacker can easily create PHP code that uses such a double destruction to execute arbitrary code within the process executing PHP (e.g. webserver process). This allows bypassing restrictions enforced by disable_functions, open_basedir, SAFE_MODE or to launch direct local root exploits against the target system. See proof-of-concept exploit.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Squelching Hackers

    I for one have had it up to here with the hackers. I think there must be some way it was in the beginning. I totally enjoy the browsing experience, but what a hassle it is to get virus', trojens, worms, adware, malware, pups,hijackers, BHO, what ever they are ! Why cant we find these @#$%^&*&^%$#@ and charge them with something with in the law and have piece of mind out here. Also I cant begin to tell you how much money they have cost me in losses, through the past few months alone....... Multiply that by the millions of people out there, that know nothing else but to buy new hard drives and start all over.....
    LByer1@...