PHP 5.3.3 ibase_gen_id() off-by-one Overflow Vulnerability

2014-07-01T00:00:00
ID SSV:69621
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                === Vulnerability ===
PHP 5.3.3 (Possible All versions) ibase_gen_id() off-by-one overflow

=== Author ===
cb

=== Description ===
User-supplied variable "generator" copied to 128 byte buffer "query"
size of query variable. So
its cause off-by-one overflow. You can see [1] snprintf copy statement
to "query" variable.

/* {{{ proto int ibase_gen_id(string generator [, int increment [,
resource link_identifier ]])
   Increments the named generator and returns its new value */
PHP_FUNCTION(ibase_gen_id)
{
	zval *link = NULL;
	char query[128], *generator;
	int gen_len;
	long inc = 1;
	ibase_db_link *ib_link;
	ibase_trans *trans = NULL;
	XSQLDA out_sqlda;
	ISC_INT64 result;

	RESET_ERRMSG;

	if (FAILURE == zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC,
"s|lr", &generator, &gen_len,
			&inc, &link)) {
		RETURN_FALSE;
	}

	PHP_IBASE_LINK_TRANS(link, ib_link, trans);
	
	[1] snprintf(query, sizeof(query), "SELECT GEN_ID(%s,%ld) FROM
rdb$database", generator, inc);
...
}	

=== Patch ===
	Replace [1] with [2].
	
	--- [1] snprintf(query, sizeof(query), "SELECT GEN_ID(%s,%ld) FROM
rdb$database", generator, inc);
	+++ [2] snprintf(query, sizeof(query) - 1  "SELECT GEN_ID(%s,%ld)
FROM rdb$database", generator, inc);

===========================================================================
Download:
http://www.exploit-db.com/sploits/ibase_gen_id_poc.zip