php -- memory_limit related vulnerability

ID DD7AA4F1-102F-11D9-8A8A-000C41E2CDAD
Type freebsd
Reporter FreeBSD
Modified 2004-10-02T00:00:00


Stefan Esser of e-matters discovered a condition within PHP that may lead to remote execution of arbitrary code. The memory_limit facility is used to notify functions when memory contraints have been met. Under certain conditions, the entry into this facility is able to interrupt functions such as zend_hash_init() at locations not suitable for interruption. The result would leave these functions in a vulnerable state.

An attacker that is able to trigger the memory_limit abort within zend_hash_init() and is additionally able to control the heap before the HashTable itself is allocated, is able to supply his own HashTable destructor pointer. [...] All mentioned places outside of the extensions are quite easy to exploit, because the memory allocation up to those places is deterministic and quite static throughout different PHP versions. [...] Because the exploit itself consist of supplying an arbitrary destructor pointer this bug is exploitable on any platform.