From mordred@s-mail.com Fri Mar 28 01:42:14 2003 From: Sir Mordred To: bugtraq@securityfocus.com Date: Wed, 26 Mar 2003 12:38:36 +0000 Subject: @(#)Mordred Labs advisory - Integer overflow in PHP memory allocator [ The following text is in the "utf-8" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] //@(#) Mordred Security Labs advisory Release date: March 26, 2003 Name: Integer overflow in PHP memory allocator Versions affected: < 4.3.2 Risk: very high Author: Sir Mordred (mordred@s-mail.com, http://mslabs.iwebland.com) I. Description: PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Please visit http://www.php.net for more information about PHP. II. Details: In PHP emalloc() function implements the error safe wrapper around malloc(). Unfortunately this function suffers from an integer overflow and considering the fact that emalloc() is used in many places around PHP source code, it may lead to many serious security issues. Here i will describe only a couple of minor issues in a PHP sockets extension. This extension is turned off by default and to enable it you should compile PHP with --enable-sockets option. * Issue 1 - Integer sign error in PHP socket_recv() function Requesting the following short script will cause a httpd child to die with the error message - child pid exit signal Segmentation fault (11) $ cat t1.php * Issue 2 - Integer sign error in PHP socket_recvfrom() function Requesting the following script will also cause a httpd child to die. $ cat t2.php III. Platforms tested Linux 2.4 with Apache 1.3.27 / PHP 4.3.1 III. Vendor response PHP developers notified, 4.3.2 will fix this issues. IV. Last words There has been response in which we were strongly advised to lower risk level of this advisory to low or even very low, as long as we can't come up with an example of using emalloc(userinput) in PHP source code... We think that this is a provocative crap, and leave the risk level untouched. ________________________________________________________________________ This letter has been delivered unencrypted. We'd like to remind you that the full protection of e-mail correspondence is provided by S-mail encryption mechanisms if only both, Sender and Recipient use S-mail. Register at S-mail.com: http://www.s-mail.com