BACK

CREDIT

POC or EXPLOIT

REFERENCES






Mon, 05 Mar 2007

Summary

The PHP session extension comes with a serialization handler called 'php_binary' that is vulnerable to a heap information leak vulnerability. This security hole is the result of a missing boundary check and allows leaking up to 126 bytes following the serialized data into array keys of the session.

This can lead to the disclosure of sensitive information stored on the heap, like offsets (useful for further attacks), heap canaries, etc.

Affected versions

Affected are PHP 4 < 4.4.5 and PHP < 5.2.1

Detailed information

The php_binary session dataformat contains of one entry per serialized variable. Every entry starts with a one byte size field that contains the length of the variable name, followed by the name itself and the serialized data.

Unfortunately the extraction of the variable name happens without a boundary check and therefore an oversized length value will result in the name being read from outside the buffer. This leads to an up to 126 byte heap information leak.

Proof of concept, exploit or instructions to reproduce

The attached proof of concept exploit will leak the maximum of 126 bytes of heap data into PHP variables and produce a hexdump.

Heapdump
---------

00000000: 00 00 00 00 87 fe 60 e8 35 00 00 00 39 00 00 00 ......`.5...9...
00000010: 00 00 00 00 41 41 41 41 41 41 41 41 41 41 41 41 ....AAAAAAAAAAAA
00000020: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000030: 41 41 41 41 00 00 00 00 4b fe 60 e8 55 00 00 00 AAAA....K.`.U...
00000040: 35 00 00 00 89 68 25 50 25 00 00 00 a8 fd 91 b7 5....h%P%.......
00000050: a8 f2 91 b7 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060: 00 00 00 00 41 41 41 41 41 41 41 41 41 41 41 41 ....AAAAAAAAAAAA
00000070: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 .. AAAAAAAAAAAAAAA.

Notes

This is one of the many vulnerabilities of the MOPB that were previously disclosed by us to the vendor and is therefore fixed in their latest updates. We therefore recommend updating PHP atleast PHP 4.4.5 or PHP 5.2.1 to fix this issue.