Latest News

Popular

Linux-Tip News

We are proud to present the Linux-Tip Portal in a new design and hope you will find it helpful, whether you are new to Linux or a seasoned user. We will attempt to provide you with effective tips and tricks, or at least to point you in the direction of the help you may need. We would like to offer a great big "Thanks!" for their excellent work to Jommla!  and  to RocketTheme . Please enjoy Linux news and workshops. Feel free to send your comments and suggestions.
 
Home arrow News arrow Linux Security arrow PHP memory_limit remote vulnerability
PHP memory_limit remote vulnerability Print E-mail
Wednesday, 14 July 2004
PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.

According to Security Space PHP is the most popular Apache module and is installed on about 50% of all Apaches worldwide. This figure includes of course only those servers that are not configured with expose_php=Off.

During a reaudit of the memory_limit problematic it was discovered that it is possible for a remote attacker to trigger the memory_limit request termination in places where an interruption is unsafe. This can be abused to execute arbitrary code on remote PHP servers.

Details

On the 28th June 2004 Gregori Guninski released his advisory about a possible remote DOS vulnerability within Apache 2 (CAN-2004-0493). This vulnerability allows tricking Apache 2 into acception arbitrary sized HTTP headers. Guninski and many others rated this bug as "Low Risk" for 32bit systems, but they did not take into account that such a bug could have a huge impact on 3rd party modules.

After his advisory was released I reaudited PHP's memory_limit request termination, because this bug made it possible to reach the memory_limit at places that were never meant to be interrupted. After a possible exploitation path for Apache 2 servers was discovered and a working exploit was created, similar pathes were found and added to the proof of concept exploit that allowed exploitation of NON Apache 2 servers. (f.e. Apache 1.3.31)

The idea of the exploit is simple. When PHP allocates a block of memory it first checks in the cache of free memory blocks for a block of the same size. If such a block is found it is taken from the cache otherwise PHP checks if an allocation would violate the memory_limit. In that case the request shutdown is triggered through zend_error(). (PHP < 4.3.7 aborts after the violating memory block is allocated) PHP contains several places where such an interruption is unsafe. An example for such places are those where Zend HashTables are allocated and initialised. This is performed in 2 steps and the initialisation step itself allocates memory before important members are correctly initialised. An attacker that is able to trigger the memory_limit abort within zend_hash_init() and is additionally able to control the heap before the HashTable itself is allocated, is able to supply his own HashTable destructor pointer.

Read more at e-matters
 
< Prev   Next >
[ Back ]

Main Menu

Home
Blog
News
Tips and Tricks
Workshops
Search
Contact Us
Disclaimer

Virus Info Feed

Alexa Traffic Stats


Urlaub Spanien