CVE-2004-1018
CVSS10.0
发布时间 :2005-01-10 00:00:00
修订时间 :2016-10-17 22:50:46
NMCOEPS    

[原文]Multiple integer handling errors in PHP before 4.3.10 allow attackers to bypass safe mode restrictions, cause a denial of service, or execute arbitrary code via (1) a negative offset value to the shmop_write function, (2) an "integer overflow/underflow" in the pack function, or (3) an "integer overflow/underflow" in the unpack function. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.


[CNNVD]PHP 多个 设计漏洞(CNNVD-200501-162)

        PHP是一种流行的WEB脚本语言。
        PHP4.3.10之前版本存在多个整数处理设计漏洞,导致出现绕过安全模式限制,拒绝服务或执行任意代码。
        通过以下方式可利用此漏洞:(1)在shmop_write函数中使用负偏移量的值;(2)pack函数中整数溢出;(3)uppack函数中整数溢出。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10949Multiple integer handling errors in PHP before 4.3.10 allow attackers to bypass safe mode restrictions, cause a denial of service, or execut...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1018
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1018
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-162
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=110314318531298&w=2
(UNKNOWN)  BUGTRAQ  20041215 Advisory 01/2004: Multiple vulnerabilities in PHP 4/5
http://marc.info/?l=bugtraq&m=111117104809638&w=2
(UNKNOWN)  UBUNTU  USN-99-1
http://www.hardened-php.net/advisories/012004.txt
(UNKNOWN)  MISC  http://www.hardened-php.net/advisories/012004.txt
http://www.mandriva.com/security/advisories?name=MDKSA-2004:151
(UNKNOWN)  MANDRAKE  MDKSA-2004:151
http://www.mandriva.com/security/advisories?name=MDKSA-2005:072
(UNKNOWN)  MANDRAKE  MDKSA-2005:072
http://www.php.net/release_4_3_10.php
(UNKNOWN)  CONFIRM  http://www.php.net/release_4_3_10.php
http://www.redhat.com/support/errata/RHSA-2005-032.html
(UNKNOWN)  REDHAT  RHSA-2005:032
http://www.redhat.com/support/errata/RHSA-2005-816.html
(UNKNOWN)  REDHAT  RHSA-2005:816
http://www.securityfocus.com/advisories/9028
(UNKNOWN)  HP  HPSBMA01212
http://www.securityfocus.com/archive/1/384920
(UNKNOWN)  BUGTRAQ  20041219 PHP shmop.c module permits write of arbitrary memory.
http://www.securityfocus.com/bid/12045
(UNKNOWN)  BID  12045
http://xforce.iss.net/xforce/xfdb/18515
(UNKNOWN)  XF  php-shmopwrite-outofbounds-memory(18515)
https://bugzilla.fedora.us/show_bug.cgi?id=2344
(UNKNOWN)  FEDORA  FLSA:2344

- 漏洞信息

PHP 多个 设计漏洞
危急 缓冲区溢出
2005-01-10 00:00:00 2005-10-20 00:00:00
远程※本地  
        PHP是一种流行的WEB脚本语言。
        PHP4.3.10之前版本存在多个整数处理设计漏洞,导致出现绕过安全模式限制,拒绝服务或执行任意代码。
        通过以下方式可利用此漏洞:(1)在shmop_write函数中使用负偏移量的值;(2)pack函数中整数溢出;(3)uppack函数中整数溢出。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.php.net/dowlaods.php

- 漏洞信息 (24854)

PHP 3/4/5 Multiple Local And Remote Vulnerabilities (1) (EDBID:24854)
php dos
2004-12-15 Verified
0 Stefan Esser
N/A [点击下载]
source: http://www.securityfocus.com/bid/11964/info

PHP4 and PHP5 are reported prone to multiple local and remote vulnerabilities that may lead to code execution within the context of the vulnerable process. The following specific issues are reported:

A heap-based buffer overflow is reported to affect the PHP 'pack()' function call. An attacker that has the ability to make the PHP interpreter run a malicious script may exploit this condition to execute arbitrary instructions in the context of the vulnerable process.

A heap-based memory disclosure vulnerability is reported to affect the PHP 'unpack()' function call. An attacker that has the ability to make the PHP interpreter run a malicious script may exploit this condition to reveal portions of the process heap.

PHP safe_mode_exec_dir is reported prone to an access control bypass vulnerability. A local attacker that can manipulate the directory name from which the PHP script is called, may bypass 'safe_mode_exec_dir' restrictions by placing shell metacharacters and restricted commands into the directory name of the current directory.

PHP safe_mode is reported prone to an access control bypass vulnerability. An attacker that has the ability to make the PHP interpreter run a malicious script may exploit this condition to execute commands that are otherwise restricted by PHP safe_mode.

PHP is reported prone to a 'realpath()' path truncation vulnerability. The vulnerability exists due to a lack of sanitization as to whether a path has been silently truncated by the libc realpath() function or not. This may lead to remote file include vulnerabilities in some cases.

The PHP function 'unserialize()' is reported prone to a memory corruption vulnerability. This corruption may be leveraged by a remote attacker that has the ability to make the PHP interpreter run a malicious script to execute arbitrary code in the context of the vulnerable process.

The PHP function 'unserialize()' is also reported prone to an information disclosure vulnerability. This issue may be leveraged by a remote attacker to disclose the contents of heap memory. This may allow them to gain access to potentially sensitive information, such as database credentials.

Finally, the PHP function 'unserialize()', is reported prone to an additional vulnerability. It is reported that previous versions of this function allow a malicious programmer to set references to entries of a variable hash that have already been freed. This can lead to remote memory corruption.

EXAMPLE script - "Segfault":
---cut here---
<?
$s = 's:9999999:"A";"';
$a = unserialize($s);
print $a;
?>
---cut here---

EXAMPLE script - "Memory Dump":
---cut here---
<?
// session- and stuff
$secret_username="uaaaa";
$secret_password="hoschi";

// stuff
// $c = $_COOKIE ['crypted_stuff']
// $c = some cookie
/* simplyfied --> userinput */ $c = 's:30000:"crap";';

$userdata = unserialize($c);
//
// check $userdata stuff
// for some reason output $userdata
print $userdata . "\n is NOT valid !!\n";

// stuff
?>
---cut here---		

- 漏洞信息 (F35361)

012004.txt (PacketStormID:F35361)
2004-12-30 00:00:00
Stefan Esser  hardened-php.net
advisory,remote,arbitrary,local,php,vulnerability
CVE-2004-1018,CVE-2004-1019,CVE-2004-1063,CVE-2004-1064
[点击下载]

Hardened-PHP Project Security Advisory - Several vulnerabilities within PHP allow local and remote execution of arbitrary code. PHP4 versions 4.3.9 and below and PHP5 version 5.0.2 and below are affected.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-



     Advisory: Multiple vulnerabilities within PHP 4/5
 Release Date: 2004/12/15
Last Modified: 2004/12/15
       Author: Stefan Esser [sesser@php.net]

  Application: PHP4 <= 4.3.9
               PHP5 <= 5.0.2
     Severity: Several vulnerabilities within PHP allow 
               local and remote execution of arbitrary code
         Risk: Critical
Vendor Status: Vendor has released bugfixed versions.
   References: http://www.hardened-php.net/advisories/012004.txt


Overview:

   PHP is a widely-used general-purpose scripting language that is 
   especially suited for Web development and can be embedded into HTML.

   During the development of Hardened-PHP which adds security hardening
   features to the PHP codebase, several vulnerabilities within PHP 
   were discovered that reach from bufferoverflows, over information 
   leak vulnerabilities and path truncation vulnerabilities to
   safe_mode restriction bypass vulnerabilities.
   

Details:

   [01 - pack() - integer overflow leading to heap bufferoverflow ]
   
   Insufficient validation of the parameters passed to pack() can
   lead to a heap overflow which can be used to execute arbitrary
   code from within a PHP script. This enables an attacker to
   bypass safe_mode restrictions and execute arbitrary code with
   the permissions of the webserver. Due to the nature of this
   function it is unlikely that a script accidently exposes it to
   remote attackers.
   
   [02 - unpack() - integer overflow leading to heap info leak ]

   Insufficient validation of the parameters passed to unpack() can
   lead to a heap information leak which can be used to retrieve
   secret data from the apache process. Additionally a skilled
   local attacker could use this vulnerability in combination with
   01 to bypass heap canary protection systems. Similiar to 01 this
   function is usually not used on user supplied data within
   webapplications.

   [03 - safe_mode_exec_dir bypass in multithreaded PHP ]
   
   When safe_mode is activated within PHP, it is only allowed to
   execute commands within the configured safe_mode_exec_dir. 
   Unfourtunately PHP does prepend a "cd [currentdir] ;" to any
   executed command when a PHP is running on a multithreaded unix
   webserver (f.e. some installations of Apache2). Because the name
   of the current directory is prepended directly a local attacker
   may bypass safe_mode_exec_dir restrictions by injecting shell-
   commands into the current directory name.
   
   [04 - safe_mode bypass through path truncation ]
   
   The safe_mode checks silently truncated the file path at MAXPATHLEN
   bytes before passing it to realpath(). In combination with certain
   malfunctional implementations of realpath() f.e. within glibc this
   allows crafting a filepath that pass the safe_mode check although
   it points to a file that should fail the safe_mode check.
   
   [05 - path truncation in realpath() ]
   
   PHP uses realpath() within several places to get the real path
   of files. Unfourtunately some implementations of realpath() silently
   truncate overlong filenames (f.e. OpenBSD, and older NetBSD/FreeBSD)
   This can lead to arbitrary file include vulnerabilities if something
   like "include "modules/$userinput/config.inc.php"; is used on such
   systems.
   
   [06 - unserialize() - wrong handling of negative references ]
   
   The variable unserializer could be fooled with negative references
   to add false zvalues to hashtables. When those hashtables get
   destroyed this can lead to efree()s of arbitrary memory addresses
   which can result in arbitrary code execution. (Unless Hardened-PHP's
   memory manager canaries are activated)
   
   [07 - unserialize() - wrong handling of references to freed data ]
   
   Additionally to bug 07 the previous version of the variable 
   unserializer allowed setting references to already freed entries in
   the variable hash. A skilled attacker can exploit this to create 
   an universal string that will pass execution to an arbitrary 
   memory address when it is passed to unserialize(). For AMD64 systems
   a string was developed that directly passes execution to code 
   contained in the string itself.
   
   It is necessary to understand that these strings can exploit a 
   bunch of popular PHP applications remotely because they pass f.e.
   cookie content to unserialize().
   
   Examples of vulnerable scripts:
   
      - phpBB2
      - Invision Board
      - vBulletin
      - Woltlab Burning Board 2.x
      - Serendipity Weblog
      - phpAds(New)
      - ...


Proof of Concept:

   The Hardened-PHP project is not going to release exploits for any 
   of these vulnerabilities to the public.


CVE Information:

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the name CAN-2004-1018 to issues 01, 02, the name 
   CAN-2004-1019 to issues 06, 07, the name CAN-2004-1063 to issue 03
   and the name CAN-2004-1064 to issues 04, 05.


Recommendation:

   It is strongly recommended to upgrade to the new PHP-Releases as
   soon as possible, because a lot of PHP applications expose the
   easy to exploit unserialize() vulnerability to remote attackers.
   Additionally we always recommend to run PHP with the Hardened-PHP
   patch applied.
   

GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2004 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBwDo7RDkUzAqGSqERAgVxAKC0LnTE49y5HFjeXpwXrZmAjuCL8gCgpQUl
rtmmBfJ3iv9Ksb/xtnyflD0=
=lzXX
-----END PGP SIGNATURE-----

    

- 漏洞信息

12410
PHP pack() Function Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Unknown

- 漏洞描述

PHP contains a flaw that may allow a remote attacker to execute arbitrary code. The issue is due to insufficient validation of parameters passed to the pack() function which may result in a heap overflow. It is possible that the flaw may allow a remote attacker to bypass safe_mode restrictions and execute arbitrary code with the privileges of the Web server resulting in a loss of integrity.

- 时间线

2004-12-15 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.3.10 or 5.0.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

PHP Multiple Local And Remote Vulnerabilities
Design Error 11964
Yes Yes
2004-12-15 12:00:00 2009-07-12 09:26:00
Discovery of the unserialize bugs is credited to Stefan Esser and Marcus Boerger; Stefan Esser is credited with the discovery of the other vulnerabilities.

- 受影响的程序版本

Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Turbolinux Turbolinux Workstation 8.0
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Server 8.0
Turbolinux Turbolinux Desktop 10.0
Turbolinux Home
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Trustix Secure Enterprise Linux 2.0
SGI ProPack 3.0
RedHat Stronghold 4.0
RedHat Linux 9.0 i386
Red Hat Fedora Core1
PHP PHP 5.0.2
PHP PHP 5.0.1
PHP PHP 5.0 candidate 3
PHP PHP 5.0 candidate 2
PHP PHP 5.0 candidate 1
PHP PHP 5.0 .0
PHP PHP 4.3.9
PHP PHP 4.3.8
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ S.u.S.E. Linux Personal 9.2
+ Turbolinux Turbolinux Server 10.0
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
PHP PHP 4.3.7
PHP PHP 4.3.6
PHP PHP 4.3.5
PHP PHP 4.3.4
PHP PHP 4.3.3
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
PHP PHP 4.3.2
PHP PHP 4.3.1
PHP PHP 4.3
PHP PHP 4.2.3
PHP PHP 4.2.2
PHP PHP 4.2.1
- FreeBSD FreeBSD 4.6
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
+ Slackware Linux 8.1
PHP PHP 4.2 .0
PHP PHP 4.2 -dev
PHP PHP 4.1.2
PHP PHP 4.1.1
PHP PHP 4.1 .0
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
PHP PHP 4.0.7 RC3
PHP PHP 4.0.7 RC2
PHP PHP 4.0.7 RC1
PHP PHP 4.0.7
PHP PHP 4.0.6
PHP PHP 4.0.5
PHP PHP 4.0.4
PHP PHP 4.0.3 pl1
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
PHP PHP 4.0.3
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ Sun Cobalt Control Station 4100CS
+ Sun Cobalt Qube3 Japanese 4000WGJ
+ Sun Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ
+ Sun Cobalt Qube3 Japanese w/Caching 4010WGJ
+ Sun Cobalt RaQ XTR 3500R
+ Sun Cobalt RaQ XTR Japanese 3500R-ja
PHP PHP 4.0.2
PHP PHP 4.0.1 pl2
PHP PHP 4.0.1 pl1
PHP PHP 4.0.1
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt Qube3 w/ Caching and RAID 4100WG
+ Sun Cobalt Qube3 w/Caching 4010WG
+ Sun Cobalt RaQ4 3001R
+ Sun Cobalt RaQ4 Japanese RAID 3100R-ja
+ Sun Cobalt RaQ4 RAID 3100R
PHP PHP 4.0 0
PHP PHP 3.0.18
PHP PHP 3.0.17
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
PHP PHP 3.0.16
PHP PHP 3.0.15
PHP PHP 3.0.14
PHP PHP 3.0.13
PHP PHP 3.0.12
PHP PHP 3.0.11
PHP PHP 3.0.10
PHP PHP 3.0.9
PHP PHP 3.0.8
PHP PHP 3.0.7
PHP PHP 3.0.6
PHP PHP 3.0.5
PHP PHP 3.0.4
PHP PHP 3.0.3
PHP PHP 3.0.2
PHP PHP 3.0.1
PHP PHP 3.0 0
PHP PHP 3.0 .16
PHP PHP 3.0 .13
PHP PHP 3.0 .12
PHP PHP 3.0 .11
OpenPKG OpenPKG 2.2
OpenPKG OpenPKG 2.1
OpenPKG OpenPKG Current
HP System Management Homepage 2.0.2
HP System Management Homepage 2.0.1
HP System Management Homepage 2.0
Conectiva Linux 10.0
Conectiva Linux 9.0
Apple Mac OS X Server 10.3.7
Apple Mac OS X Server 10.3.6
Apple Mac OS X Server 10.3.5
Apple Mac OS X Server 10.3.4
Apple Mac OS X Server 10.3.3
Apple Mac OS X Server 10.3.2
Apple Mac OS X Server 10.3.1
Apple Mac OS X Server 10.3
Apple Mac OS X Server 10.2.8
Apple Mac OS X Server 10.2.7
Apple Mac OS X Server 10.2.6
Apple Mac OS X Server 10.2.5
Apple Mac OS X Server 10.2.4
Apple Mac OS X Server 10.2.3
Apple Mac OS X Server 10.2.2
Apple Mac OS X Server 10.2.1
Apple Mac OS X Server 10.2
Apple Mac OS X Server 10.1.5
Apple Mac OS X Server 10.1.4
Apple Mac OS X Server 10.1.3
Apple Mac OS X Server 10.1.2
Apple Mac OS X Server 10.1.1
Apple Mac OS X Server 10.1
Apple Mac OS X Server 10.0
Apple Mac OS X 10.3.7
Apple Mac OS X 10.3.6
Apple Mac OS X 10.3.5
Apple Mac OS X 10.3.4
Apple Mac OS X 10.3.3
Apple Mac OS X 10.3.2
Apple Mac OS X 10.3.1
Apple Mac OS X 10.3
Apple Mac OS X 10.2.8
Apple Mac OS X 10.2.7
Apple Mac OS X 10.2.6
Apple Mac OS X 10.2.5
Apple Mac OS X 10.2.4
Apple Mac OS X 10.2.3
Apple Mac OS X 10.2.2
Apple Mac OS X 10.2.1
Apple Mac OS X 10.2
Apple Mac OS X 10.1.5
Apple Mac OS X 10.1.4
Apple Mac OS X 10.1.3
Apple Mac OS X 10.1.2
Apple Mac OS X 10.1.1
Apple Mac OS X 10.1
Apple Mac OS X 10.1
Apple Mac OS X 10.0.4
Apple Mac OS X 10.0.3
Apple Mac OS X 10.0.2
Apple Mac OS X 10.0.1
Apple Mac OS X 10.0 3
Apple Mac OS X 10.0
PHP PHP 5.0.3
+ Trustix Secure Linux 2.2
PHP PHP 4.3.10
+ Gentoo Linux
+ Red Hat Fedora Core3
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
+ Trustix Secure Linux 1.5
HP System Management Homepage 2.1
Apple Mac OS X Server 10.3.8
Apple Mac OS X 10.3.8

- 不受影响的程序版本

PHP PHP 5.0.3
+ Trustix Secure Linux 2.2
PHP PHP 4.3.10
+ Gentoo Linux
+ Red Hat Fedora Core3
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
+ Trustix Secure Linux 1.5
HP System Management Homepage 2.1
Apple Mac OS X Server 10.3.8
Apple Mac OS X 10.3.8

- 漏洞讨论

PHP4 and PHP5 are reported prone to multiple local and remote vulnerabilities that may lead to code execution within the context of the vulnerable process. The following specific issues are reported:

A heap-based buffer overflow is reported to affect the PHP 'pack()' function call. An attacker that has the ability to make the PHP interpreter run a malicious script may exploit this condition to execute arbitrary instructions in the context of the vulnerable process.

A heap-based memory disclosure vulnerability is reported to affect the PHP 'unpack()' function call. An attacker that has the ability to make the PHP interpreter run a malicious script may exploit this condition to reveal portions of the process heap.

PHP safe_mode_exec_dir is reported prone to an access control bypass vulnerability. A local attacker that can manipulate the directory name from which the PHP script is called, may bypass 'safe_mode_exec_dir' restrictions by placing shell metacharacters and restricted commands into the directory name of the current directory.

PHP safe_mode is reported prone to an access control bypass vulnerability. An attacker that has the ability to make the PHP interpreter run a malicious script may exploit this condition to execute commands that are otherwise restricted by PHP safe_mode.

PHP is reported prone to a 'realpath()' path truncation vulnerability. The vulnerability exists due to a lack of sanitization as to whether a path has been silently truncated by the libc realpath() function or not. This may lead to remote file include vulnerabilities in some cases.

The PHP function 'unserialize()' is reported prone to a memory corruption vulnerability. This corruption may be leveraged by a remote attacker that has the ability to make the PHP interpreter run a malicious script to execute arbitrary code in the context of the vulnerable process.

The PHP function 'unserialize()' is also reported prone to an information disclosure vulnerability. This issue may be leveraged by a remote attacker to disclose the contents of heap memory. This may allow them to gain access to potentially sensitive information, such as database credentials.

Finally, the PHP function 'unserialize()', is reported prone to an additional vulnerability. It is reported that previous versions of this function allow a malicious programmer to set references to entries of a variable hash that have already been freed. This can lead to remote memory corruption.

- 漏洞利用

Exploits have been developed by the researcher that discovered these vulnerabilities. These exploits are not believed to be in public circulation. The following unserialize() proof of concept examples are available:

EXAMPLE script - "Segfault":
---cut here---
&lt;?
$s = 's:9999999:"A";"';
$a = unserialize($s);
print $a;
?&gt;
---cut here---

EXAMPLE script - "Memory Dump":
---cut here---
&lt;?
// session- and stuff
$secret_username="uaaaa";
$secret_password="hoschi";

// stuff
// $c = $_COOKIE ['crypted_stuff']
// $c = some cookie
/* simplyfied --&gt; userinput */ $c = 's:30000:"crap";';

$userdata = unserialize($c);
//
// check $userdata stuff
// for some reason output $userdata
print $userdata . "\n is NOT valid !!\n";

// stuff
?&gt;
---cut here---

overdose &lt;slythers@gmail.com&gt; has made a proof of concept exploit available to demonstrate the unserialize() information disclosure issue.

- 解决方案

Conectiva has released an advisory (CLSA-2005:955) and fixes to address these and other issues. Please see the referenced advisory for further information regarding obtaining and applying appropriate updates.

Turbolinux has released advisory TLSA-2005-50 along with fixes dealing with this and other issues. Please see the referenced advisory for more information.

Conectiva has released advisory CLA-2005:915 along with fixes dealing with these and other issues. Please see the referenced advisory for more information.

Turbolinux has released advisory TLSA-2005-01-13 along with fixes dealing with this and other issues. Please see the referenced advisory for more information.

Ubuntu Linux has released advisory USN-40-1 along with fixes to address the issue referenced by the CVE candidate CAN-2004-1019 and other issues. Please see the referenced advisory for further information.

OpenPKG has released advisory OpenPKG-SA-2004.053 to address these, and other issues. Please see the referenced advisory for further information.

Mandrake has released advisory MDKSA-2004:151 to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

Gentoo has released updates to address this issue. Updates may be applied by running the following commands as the superuser:

(for PHP)
emerge --sync
emerge --ask --oneshot --verbose ">=dev-php/php-4.3.10"

(for mod_php)
emerge --sync
emerge --ask --oneshot --verbose ">=dev-php/mod_php-4.3.10"

(for php_cgi)
emerge --sync
emerge --ask --oneshot --verbose ">=dev-php/php-cgi-4.3.10"

The vendor has released updated to address these issues:

Trustix Secure Linux has released an advisory (TSLSA-2004-0066) along with fixes dealing with this issue. Please see the referenced advisory for more information.

Red Hat has released Red Hat Enterprise Linux advisory RHSA-2004:687-05 to address various issues in PHP. Please see the advisory in Web references for more information.

Fedora has released advisories FEDORA-2004-567 and FEDORA-2004-568 to address various PHP issues in Fedora Core 2 and Fedora Core 3. Please see the referenced advisories for more information.

Conectiva has released an advisory (CLSA-2005:915) to address issues in PHP. Please see the advisory in Web references for more information.

SGI has released advisory 20050101-01-U to address various issues in SGI Advanced Linux Environment 3. This advisory includes updated SGI ProPack 3 Service Pack 3 packages. Please see the referenced advisory for more information.

S.u.S.E. Linux has made an advisory (SUSE-SA:2005:002) available dealing with this issue. Please see the referenced advisory for more information.

Apple Computers has released advisory APPLE-SA-2005-01-25 along with a security update dealing with this and other issues. Please see the referenced advisory for more information.

Apple Computers has released Mac OS X version 10.3.8 dealing with this issue. This upgrade includes the security patches shipped with the referenced security update.

Fedora has released Fedora Legacy advisory FLSA:2344 to address various issues in Red Hat Linux 7.3, Red Hat Linux 9.0 and Fedora Core 1 for the i386 architecture. Please see the referenced advisory for more information.

Ubuntu Linux has released an advisory USN-99-1 along with fixes dealing with the issues defined by CVE candidates CAN-2004-1018, CAN-2004-1063, and CAN-2004-1064. Please see the referenced advisory for more information.

Ubuntu has released advisory USN-99-2 dealing with issues that arose from the fixes provided with their previous advisory (USN-99-1). Apparently the previous fixes did fix the vulnerabilities, however they broke a substantial amount of PHP functionality. Please see the referenced advisory for more information.

Mandriva has released advisory MDKSA-2005:072 to address these issues. Please see the attached advisory for details on obtaining and applying fixes.

HP has released advisory HPSBMA01212 to address various issue affecting System Management Homepage. Please see the referenced advisory for more information.

HP has released revision 1 of advisory HPSBMA01212 to address various issue affecting System Management Homepage. Please see the referenced advisory for more information.

Revised HP advisory HPSBMA01212 (SSRT5998 Rev.2 HP System Management Homepage(v2.0.x) Denial of Service (DoS) and XSS) including updated resolutions is available. Please see the referenced advisory for more information.

Red Hat has released advisory RHSA-2005:816-10 to address this issue for Red Hat Stronghold for Enterprise Linux. Please see the referenced advisory for further information on obtaining fixes.


Apple Mac OS X 10.2.8

Apple Mac OS X Server 10.2.8

Apple Mac OS X Server 10.3.7

Apple Mac OS X 10.3.7

SGI ProPack 3.0

PHP PHP 4.0 0

PHP PHP 4.0.1

PHP PHP 4.0.1 pl2

PHP PHP 4.0.2

PHP PHP 4.0.3 pl1

PHP PHP 4.0.3

PHP PHP 4.0.5

PHP PHP 4.0.7 RC1

PHP PHP 4.0.7 RC2

PHP PHP 4.0.7

PHP PHP 4.1 .0

PHP PHP 4.2 -dev

PHP PHP 4.2.1

PHP PHP 4.3

PHP PHP 4.3.2

PHP PHP 4.3.3

PHP PHP 4.3.5

PHP PHP 4.3.6

PHP PHP 4.3.8

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站