PHP 5.3.3 - ibase_gen_id off-by-one Overflow Vulnerability

2010-08-18T00:00:00
ID EDB-ID:14678
Type exploitdb
Reporter Canberk BOLAT
Modified 2010-08-18T00:00:00

Description

PHP 5.3.3 ibase_gen_id() off-by-one Overflow Vulnerability. Dos exploit for php platform

                                        
                                            === Vulnerability ===
PHP 5.3.3 (Possible All versions) ibase_gen_id() off-by-one overflow

=== Author ===
cb

=== Description ===
User-supplied variable "generator" copied to 128 byte buffer "query"
size of query variable. So
its cause off-by-one overflow. You can see [1] snprintf copy statement
to "query" variable.

/* {{{ proto int ibase_gen_id(string generator [, int increment [,
resource link_identifier ]])
   Increments the named generator and returns its new value */
PHP_FUNCTION(ibase_gen_id)
{
	zval *link = NULL;
	char query[128], *generator;
	int gen_len;
	long inc = 1;
	ibase_db_link *ib_link;
	ibase_trans *trans = NULL;
	XSQLDA out_sqlda;
	ISC_INT64 result;

	RESET_ERRMSG;

	if (FAILURE == zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC,
"s|lr", &generator, &gen_len,
			&inc, &link)) {
		RETURN_FALSE;
	}

	PHP_IBASE_LINK_TRANS(link, ib_link, trans);
	
	[1] snprintf(query, sizeof(query), "SELECT GEN_ID(%s,%ld) FROM
rdb$database", generator, inc);
...
}	

=== Patch ===
	Replace [1] with [2].
	
	--- [1] snprintf(query, sizeof(query), "SELECT GEN_ID(%s,%ld) FROM
rdb$database", generator, inc);
	+++ [2] snprintf(query, sizeof(query) - 1  "SELECT GEN_ID(%s,%ld)
FROM rdb$database", generator, inc);

===========================================================================
Download:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/14678.zip (ibase_gen_id_poc.zip)