X
Tech
Home Tech Security

Flaw trifecta kicks off Month of PHP bugs

Stefan Esser's month of PHP bugs project is off and running with details on three unpatched vulnerabilities that could lead to program crashes and possible code execution attacks. The first batch of flaws published on the project home page covers two recursion stack overflows and a reference counter overflow.
Written by Ryan Naraine, Contributor
Stefan Esser's month of PHP bugs project is off and running with details on three unpatched vulnerabilities that could lead to program crashes and possible code execution attacks.
Month of PHP Bugs

The first batch of flaws published on the project home page covers two recursion stack overflows and a reference counter overflow. These can lead to remotely triggable crashes, Esser warned.

Exploit code for one of the bugs has also been released.

The first three advisories cover:

* PHP Variable Destructor Deep Recursion Stack Overflow -- One of the problems in PHP is that it does not enforce any kind of sanity checks for the depth of nested arrays and because the variable registration is done in a iterative way it will accept any depth until the memory_limit is reached. Unfortunately the destruction of PHP arrays is done in a recursive way and therefore it can crash when the stack limit is exhausted. An attacker can use this fact to let PHP crash in a more or less controlled way. It is trivial to let it crash on script startup or at the end of the request.

* PHP Executor Deep Recursion Stack Overflow -- PHP does not protect against deep recursions. Whenever a PHP application goes into a very deep recursion it will crash when it runs out of stack. There are many PHP applications out there that can be forced into a deep recursion. When PHP crashs, many webservers will not log the request parameters, but only the crash and secondly a crash will kill all other threads of a multithreaded webserver.

* PHP 4 Userland ZVAL Reference Counter Overflow Vulnerability -- This is a PHP 4 security vulnerability that exploits a problem known for many years among the PHP developers. When a PHP application is run in PHP 4 it can overflow the variable reference counter because it is only 16 bit wide. Whenever this happens it will result in a double destruction of the underlying variable. A local attacker can easily create PHP code that uses such a double destruction to execute arbitrary code within the process executing PHP (e.g. webserver process). This allows bypassing restrictions enforced by disable_functions, open_basedir, SAFE_MODE or to launch direct local root exploits against the target system. See proof-of-concept exploit.

Editorial standards
Show Comments

Related

Memory feature in ChatGPT

OpenAI makes 'Memory' available to all ChatGPT Plus subscribers - how to use it

entrypoint-pr.png

GitHub releases an AI-powered tool aiming for a 'radically new way of building software'

pxl-20240424-181716738

Sorry, you really can't disable Facebook's Meta AI tool - but here's what you can do