Latest News

Popular

Linux-Tip News

We are proud to present Linux-Tip Europe. This page is designed to provide the Linux users community (not only in Europe) with news and articles that are of interest to them. It works by allowing members of the community to submit news and articles relating to Linux hardware and software. This same community can then decide what tips should be promoted based on what they consider to be the most important or interesting to the community by voting stories up and down. Stories that receive enough votes are promoted to the Linux-Tip Europe homepage. Bookmark and Share
 
Home arrow News arrow Linux Security arrow PHP memory_limit remote vulnerability
PHP memory_limit remote vulnerability Print E-mail
Wednesday, 14 July 2004
PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.

According to Security Space PHP is the most popular Apache module and is installed on about 50% of all Apaches worldwide. This figure includes of course only those servers that are not configured with expose_php=Off.

During a reaudit of the memory_limit problematic it was discovered that it is possible for a remote attacker to trigger the memory_limit request termination in places where an interruption is unsafe. This can be abused to execute arbitrary code on remote PHP servers.

Details

On the 28th June 2004 Gregori Guninski released his advisory about a possible remote DOS vulnerability within Apache 2 (CAN-2004-0493). This vulnerability allows tricking Apache 2 into acception arbitrary sized HTTP headers. Guninski and many others rated this bug as "Low Risk" for 32bit systems, but they did not take into account that such a bug could have a huge impact on 3rd party modules.

After his advisory was released I reaudited PHP's memory_limit request termination, because this bug made it possible to reach the memory_limit at places that were never meant to be interrupted. After a possible exploitation path for Apache 2 servers was discovered and a working exploit was created, similar pathes were found and added to the proof of concept exploit that allowed exploitation of NON Apache 2 servers. (f.e. Apache 1.3.31)

The idea of the exploit is simple. When PHP allocates a block of memory it first checks in the cache of free memory blocks for a block of the same size. If such a block is found it is taken from the cache otherwise PHP checks if an allocation would violate the memory_limit. In that case the request shutdown is triggered through zend_error(). (PHP < 4.3.7 aborts after the violating memory block is allocated) PHP contains several places where such an interruption is unsafe. An example for such places are those where Zend HashTables are allocated and initialised. This is performed in 2 steps and the initialisation step itself allocates memory before important members are correctly initialised. An attacker that is able to trigger the memory_limit abort within zend_hash_init() and is additionally able to control the heap before the HashTable itself is allocated, is able to supply his own HashTable destructor pointer.

Read more at e-matters
 
< Prev   Next >
[ Back ]

Main Menu

Home
News
Tips and Tricks
Workshops
Video-Tutorials
Search
Contact Us
Disclaimer

Virus Info Feed

Alexa Traffic Stats

Sedo - Domains kaufen und verkaufen das Projekt linux-tip.eu steht zum Verkauf Besucherstatistiken von linux-tip.eu etracker® Web-Controlling statt Logfile-Analyse