PHP Patches Buffer Overflow Vulnerabilities

UPDATE Developers at PHP recently pushed out a series of patches to fix a handful of vulnerabilities, including one that can lead to a heap-based buffer overflow.

Researchers at the Swiss firm High-Tech Bridge dug up the vulnerabilities in versions 5.6.1, 5.5.17, and 5.4.33 of the framework.

The biggest and most serious bug, CVE-2014-3669, deals with the unserialize() function in 32-bit systems. While PHP was quick to patch the issue in late September, it wasn’t until this week that High-Tech Bridge delved deeper into the flaw and published a step-by-step walkthrough of their proof of concept.

Looking at code snippets from PHP through a debugger, researchers got PHP to crash when it came across “the frame zero line 356, followed by its caller at line 387.”

Playing around with values, they were able to overflow the integer, which in turn got the code to point to an invalid memory address.

In his write-up of the bug, Symeon Paraschoudis, a researcher at the firm, dubs it a read access violation but admits that it’s probably not exploitable.

Stefan Esser, an independent security consultant and PHP expert, echoed those thoughts, and concurred that this particular integer overflow is not exploitable as there are no writes inside unserialize() to that buffer.

Regardless, the bug must have been a cause for concern for PHP developers; Paraschoudis disclosed the bug on Sept. 25 and PHP pushed a patch just three days later.

Stanislav Malyshev, a PHP developer, called it a “real bug,” at the time and claimed that it could be leveraged to trigger at least crash, theoretically info disclosure.”

The patch, which was included alongside two other issues (CVE-2014-3668 and CVE-2014-3670) in the framework for versions 5.6.2, 5.5.18 and 5.4.34 last week, both fixes the issue and prevents PHP from crashing or segfaulting, a memory access violation that can lead to crashing.

Note: This article was updated on October 27 to add comments from PHP security expert Stefan Esser.