PHP Session_Decode Double Free Memory Corruption Vulnerability
BID:23121
Info
PHP Session_Decode Double Free Memory Corruption Vulnerability
| Bugtraq ID: | 23121 |
| Class: | Design Error |
| CVE: |
CVE-2007-1711 |
| Remote: | No |
| Local: | Yes |
| Published: | Mar 25 2007 12:00AM |
| Updated: | Aug 01 2007 09:25PM |
| Credit: | Stefan Esser is credited with the discovery of this vulnerability. |
| Vulnerable: |
Turbolinux Turbolinux Server 10.0 x86 Turbolinux Turbolinux Server 10.0 Turbolinux Turbolinux Desktop 10.0 Turbolinux Turbolinux 10 F... TurboLinux Personal TurboLinux Multimedia Turbolinux Home Turbolinux Appliance Server Workgroup Edition 1.0 Turbolinux Appliance Server Hosting Edition 1.0 Turbolinux Appliance Server 1.0 Workgroup Edition Turbolinux Appliance Server 1.0 Hosting Edition Turbolinux Appliance Server 2.0 TransSoft Broker FTP Server 8.0 SGI ProPack 3.0 SP6 rPath rPath Linux 1 Redhat Stronghold for Enterprise Linux 0 Redhat Enterprise Linux WS 4 Redhat Enterprise Linux WS 3 Redhat Enterprise Linux WS 2.1 IA64 Redhat Enterprise Linux WS 2.1 Redhat Enterprise Linux ES 4 Redhat Enterprise Linux ES 3 Redhat Enterprise Linux ES 2.1 IA64 Redhat Enterprise Linux ES 2.1 Redhat Enterprise Linux AS 4 Redhat Enterprise Linux AS 3 Redhat Enterprise Linux AS 2.1 IA64 Redhat Enterprise Linux AS 2.1 Redhat Desktop 4.0 Redhat Desktop 3.0 Redhat Advanced Workstation for the Itanium Processor 2.1 IA64 Redhat Advanced Workstation for the Itanium Processor 2.1 PHP PHP 4.4.6 PHP PHP 4.4.5 MandrakeSoft Multi Network Firewall 2.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 4.0 Gentoo Linux Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0 Apple Mac OS X Server 10.4.10 Apple Mac OS X Server 10.3.9 Apple Mac OS X 10.4.10 Apple Mac OS X 10.3.9 |
| Not Vulnerable: | |
Discussion
PHP Session_Decode Double Free Memory Corruption Vulnerability
PHP is prone to a double-free memory-corruption vulnerability.
Attackers may be able to exploit this issue to execute arbitrary code in the context of the webserver process or to cause denial-of-service conditions.
This issue is proven to be locally exploitable. Remote attack vectors may also be possible, but this is yet to be confirmed.
This issue affects PHP versions 4.4.5 and 4.4.6.
PHP is prone to a double-free memory-corruption vulnerability.
Attackers may be able to exploit this issue to execute arbitrary code in the context of the webserver process or to cause denial-of-service conditions.
This issue is proven to be locally exploitable. Remote attack vectors may also be possible, but this is yet to be confirmed.
This issue affects PHP versions 4.4.5 and 4.4.6.
Exploit / POC
PHP Session_Decode Double Free Memory Corruption Vulnerability
The following proof of concept is available:
The following proof of concept is available:
Solution / Fix
PHP Session_Decode Double Free Memory Corruption Vulnerability
Solution:
Please see the references for more information.
Apple Mac OS X Server 10.3.9
Apple Mac OS X 10.3.9
Apple Mac OS X 10.4.10
Apple Mac OS X Server 10.4.10
Solution:
Please see the references for more information.
Apple Mac OS X Server 10.3.9
-
Apple SecUpdSrvr2007-007Pan.dmg For Mac OS X Server v10.3.9
http://www.apple.com/support/downloads/
Apple Mac OS X 10.3.9
-
Apple SecUpd2007-007Pan.dmg For Mac OS X v10.3.9
http://www.apple.com/support/downloads/
Apple Mac OS X 10.4.10
-
Apple SecUpd2007-007Ti.dmg For Mac OS X v10.4.10 (PowerPC)
http://www.apple.com/support/downloads/ -
Apple SecUpd2007-007Univ.dmg For Mac OS X v10.4.10 (Universal)
http://www.apple.com/support/downloads/
Apple Mac OS X Server 10.4.10
-
Apple SecUpdSrvr2007-007Ti.dmg For Mac OS X Server v10.4.10 (PowerPC)
http://www.apple.com/support/downloads/ -
Apple SecUpdSrvr2007-007Universal.dmg For Mac OS X Server v10.4.10 (Universal)
http://www.apple.com/support/downloads/
References
PHP Session_Decode Double Free Memory Corruption Vulnerability
References:
References:
- MOPB-32-2007:PHP 4.4.5/4.4.6 session_decode() Double Free Vulnerability (Stefan Esser)
- PHP Homepage (PHP)
- RHSA-2007:0154-4 php security update (Red Hat)
- RHSA-2007:0155-2 php security update (Red Hat)
- RHSA-2007:0163-3 - php security update for Stronghold (Red Hat)