Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:3085
HistoryMar 25, 2008 - 12:00 a.m.

PHP 5 php_sprintf_appendstring()函数整数溢出漏洞

2008-03-2500:00:00
Root
www.seebug.org
16

0.019 Low

EPSS

Percentile

87.3%

JSON

BUGTRAQ ID: 28392
CVE(CAN) ID: CVE-2008-1384

PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。

PHP formatted_print.c文件的*printf()函数存在整数溢出漏洞,能够执行PHP脚本的攻击者可能利用此漏洞提升权限。

在formatted_print.c文件的php_sprintf_appendstring()函数中:

  • —formatted_print.c-start—
    inline static void
    php_sprintf_appendstring(char **buffer, int *pos, int *size, char *add,
    int min_width, int max_width, char padding,
    int alignment, int len, int neg, int expprec, int always_sign)
  • —formatted_print.c-end—

主变量为npad。

  • —formatted_print.c-start—
    copy_len = (expprec ? MIN(max_width, len) : len);
    npad = min_width - copy_len;
  • —formatted_print.c-end—

这里npad为2147483646。

  • —formatted_print.c-start—
    req_size = *pos + MAX(min_width, copy_len) + 1;

  • —formatted_print.c-end—

    req_size overflow

  • —formatted_print.c-start—
    if (req_size > *size) {
    while (req_size > *size) {
    *size <<= 1;
    }
    PRINTF_DEBUG(("sprintf ereallocing buffer to %d bytes\n", *size));
    *buffer = erealloc(*buffer, *size);
    }

  • —formatted_print.c-end—

(req_size > *size)为False,(alignment == ALIGN_RIGHT)为True,因此

  • —formatted_print.c-start—
    while (npad-- > 0) {
    (*buffer)[(*pos)++] = padding;
    }
  • —formatted_print.c-end—

gdb调试结果如下:

  • — Debug —
    0x08295ba5 in php_sprintf_appendstring (buffer=0xbfbfd318, pos=0xbfbfd31c,
    size=0xbfbfd324, add=0x28f20404 ‘A’ <repeats 200 times>…,
    min_width=2147483646, max_width=0, padding=65 ‘A’, alignment=1, len=1,
    neg=0, expprec=0, always_sign=0)

0x290fff0c: ‘A’ <repeats 200 times>…
0x290fffd4: ‘A’ <repeats 44 times> <Error reading address 0x29100000: Bad
address>
0x29100000: <Error reading address 0x29100000: Bad address>

  • — Debug —

脚本会向内存分配大量数据,导致拒绝服务或执行任意指令。

PHP 5.2.5
PHP

目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

<a href=“http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1120&amp;view=markup” target=“_blank”>http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1120&amp;view=markup</a>

Related

openvas 14
prion 1
securityvulns 2
ubuntucve 1
redhatcve 1
freebsd 1
nessus 8
cve 1
osv 1
debian 1
ubuntu 1
gentoo 1
openvas
openvas
FreeBSD Ports: php5
2008-09-04 00:00:00
FreeBSD Ports: php5
2008-09-04 00:00:00
Debian Security Advisory DSA 1572-1 (php5)
2008-05-27 00:00:00
prion
prion
Integer overflow
2008-03-27 17:44:00
securityvulns
securityvulns
PHP integer overflow
2008-03-22 00:00:00
{securityreason.com}PHP 5 *printf&#40;&#41; - Integer Overflow
2008-03-22 00:00:00
ubuntucve
ubuntucve
CVE-2008-1384
2008-03-27 00:00:00
redhatcve
redhatcve
CVE-2008-1384
2015-10-30 10:11:58
freebsd
freebsd
php -- integer overflow vulnerability
2008-03-21 00:00:00
nessus
nessus
FreeBSD : php -- integer overflow vulnerability (f6377f08-12a7-11dd-bab7-0016179b2dd5)
2008-05-02 00:00:00
Debian DSA-1572-1 : php5 - several vulnerabilities
2008-05-13 00:00:00
openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-5379)
2008-07-02 00:00:00
cve
cve
CVE-2008-1384
2008-03-27 17:44:00
osv
osv
php5 - several vulnerabilities
2008-05-11 00:00:00
debian
debian
[SECURITY] [DSA 1572-1] New php5 packages fix several vulnerabilities
2008-05-11 15:15:59
ubuntu
ubuntu
PHP vulnerabilities
2008-07-23 00:00:00
gentoo
gentoo
PHP: Multiple vulnerabilities
2008-11-16 00:00:00

0.019 Low

EPSS

Percentile

87.3%

JSON
Related for SSV:3085
openvas14prion1securityvulns2ubuntucve1redhatcve1freebsd1nessus8cve1osv1debian1ubuntu1gentoo1