Hi list-eners, ========================================================== Title: Php shmop write of arbitrary memory - Safe Mode Bypass Affected: Php <= 5.0.2 & 4.3.9 if shmop module is loaded. Vulnerability Type: Input Validation - write of arbitrary memory ==Summary Shared Memory PHP Module has a memory leak when shmop_write function checks for offset bounds. This flaw could lead to bypass Safe Mode and other bad things. ==Description shmop.c in PHP_FUNCTION(shmop_write) function does not check if the 'offset' value is negative, so it is possible to overwrite arbitrary memory with: memcpy(shmop->addr + offset, data, writesize); this, in particular can be used to set safe_mode to off. Attached there's a Proof of concept for this vuln. It needs some gdb debugging or print the address of core_globals.safe_mode and some try to get the right distance to set in '$offset'. Of course shmop.so needs to be loaded as module or embedded in php bins.:) Solution: Update php to 5.0.3 or 4.3.10 Regards, Stefano Di Paola -- ......---oOOo--------oOOo---...... Stefano Di Paola Software Engineer Email: stefano.dipaola_at_wisec.it Email: stefano.dipaola1_at_tin.it Web: www.wisec.it ..................................
Attachment:
safe_mode_bypass.php
Description: application/php