PHP Chunk_Split() Function Integer Overflow Vulnerability
BID:24261
Info
PHP Chunk_Split() Function Integer Overflow Vulnerability
| Bugtraq ID: | 24261 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2007-2872 |
| Remote: | Yes |
| Local: | No |
| Published: | May 31 2007 12:00AM |
| Updated: | May 20 2008 05:34PM |
| Credit: | Gerhard Wagner found this vulnerability. |
| Vulnerable: |
Ubuntu Ubuntu Linux 7.10 sparc Ubuntu Ubuntu Linux 7.10 powerpc Ubuntu Ubuntu Linux 7.10 i386 Ubuntu Ubuntu Linux 7.10 amd64 Ubuntu Ubuntu Linux 7.04 sparc Ubuntu Ubuntu Linux 7.04 powerpc Ubuntu Ubuntu Linux 7.04 i386 Ubuntu Ubuntu Linux 7.04 amd64 Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 Trustix Secure Linux 3.0.5 Trustix Secure Linux 3.0 Trustix Secure Linux 2.0 Trustix Operating System Enterprise Server 2.0 SuSE SUSE Linux Enterprise Server 8 SuSE SUSE Linux Enterprise SDK 9 SuSE SUSE Linux Enterprise SDK 10.SP1 SuSE Linux Enterprise Server 9 SuSE Linux Enterprise Server 10.SP1 SuSE Linux 10.1 x86-64 SuSE Linux 10.1 x86 SuSE Linux 10.1 ppc SuSE Linux 10.0 x86-64 SuSE Linux 10.0 x86 SuSE Linux 10.0 ppc Slackware Linux 10.2 Slackware Linux 11.0 Slackware Linux -current S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. openSUSE 10.3 S.u.S.E. openSUSE 10.2 S.u.S.E. Open-Enterprise-Server 0 S.u.S.E. Novell Linux POS 9 rPath rPath Linux 1 Redhat Fedora Core7 Redhat Fedora Core6 Redhat Enterprise Linux WS 4 Redhat Enterprise Linux WS 3 Redhat Enterprise Linux WS 2.1 IA64 Redhat Enterprise Linux WS 2.1 Redhat Enterprise Linux ES 4 Redhat Enterprise Linux ES 3 Redhat Enterprise Linux ES 2.1 IA64 Redhat Enterprise Linux ES 2.1 Redhat Enterprise Linux Desktop Workstation 5 client Redhat Enterprise Linux AS 4 Redhat Enterprise Linux AS 3 Redhat Enterprise Linux AS 2.1 IA64 Redhat Enterprise Linux AS 2.1 Redhat Enterprise Linux 5 Server Redhat Desktop 4.0 Redhat Desktop 3.0 Redhat Application Stack v1 for Enterprise Linux ES 4 Redhat Application Stack v1 for Enterprise Linux AS 4 Redhat Advanced Workstation for the Itanium Processor 2.1 IA64 Redhat Advanced Workstation for the Itanium Processor 2.1 PHP PHP 5.2.3 PHP PHP 5.2.2 PHP PHP 5.2.1 PHP PHP 5.1.6 PHP PHP 5.1.5 PHP PHP 5.1.4 PHP PHP 5.1.3 -RC1 PHP PHP 5.1.3 PHP PHP 5.1.2 PHP PHP 5.1.1 PHP PHP 5.1 PHP PHP 5.0.5 PHP PHP 5.0.4 PHP PHP 5.0.3 PHP PHP 5.0.2 PHP PHP 5.0.1 PHP PHP 5.0 candidate 3 PHP PHP 5.0 candidate 2 PHP PHP 5.0 candidate 1 PHP PHP 5.0 .0 PHP PHP 5.2 OpenPKG OpenPKG E1.0-Solid OpenPKG OpenPKG Current HP HP-UX B.11.31 HP HP-UX B.11.23 HP HP-UX B.11.11 Gentoo Linux Avaya Messaging Storage Server MSS 3.0 Avaya Messaging Storage Server 3.1 Avaya Message Networking MN 3.1 Avaya Message Networking 3.1 Avaya Intuity AUDIX LX 2.0 Avaya Communication Manager 4.0 Avaya Communication Manager 3.1 Avaya Aura Application Enablement Services 4.0.1 Avaya Aura Application Enablement Services 3.1.4 Avaya Aura Application Enablement Services 3.1.3 Avaya Aura Application Enablement Services 3.0 Avaya AES 4.0 Avaya AES 3.1 |
| Not Vulnerable: |
PHP PHP 5.2.4 |
Discussion
PHP Chunk_Split() Function Integer Overflow Vulnerability
PHP is prone to an integer-overflow vulnerability because it fails to ensure that integer values aren't overrun. Attackers may exploit this issue to cause a buffer overflow and to corrupt process memory.
Attackers may be able to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely result in a denial-of-service condition.
This issue affects versions prior to PHP 5.2.3.
PHP is prone to an integer-overflow vulnerability because it fails to ensure that integer values aren't overrun. Attackers may exploit this issue to cause a buffer overflow and to corrupt process memory.
Attackers may be able to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely result in a denial-of-service condition.
This issue affects versions prior to PHP 5.2.3.
Exploit / POC
PHP Chunk_Split() Function Integer Overflow Vulnerability
The following proof of concept is available:
The following proof of concept is available:
Solution / Fix
PHP Chunk_Split() Function Integer Overflow Vulnerability
Solution:
The vendor has released PHP 5.2.3 to address this and other issues.
NOTE: The vendor has released PHP 5.2.4 and states that this release corrects the fix that was released in PHP 5.2.3. Users are encouraged to install the latest release of PHP. Please see the references for more information.
Slackware Linux -current
Slackware Linux 10.2
PHP PHP 5.2.3
Solution:
The vendor has released PHP 5.2.3 to address this and other issues.
NOTE: The vendor has released PHP 5.2.4 and states that this release corrects the fix that was released in PHP 5.2.3. Users are encouraged to install the latest release of PHP. Please see the references for more information.
Slackware Linux -current
-
Slackware php-5.2.3-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ph p-5.2.3-i486-1.tgz
Slackware Linux 10.2
-
Slackware php-5.2.3-i486-1_slack10.2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/testing/packages/ php5/php-5.2.3-i486-1_slack10.2.tgz
PHP PHP 5.2.3
-
PHP PHP 5.2.4 Complete Source Code
http://www.php.net/get/php-5.2.4.tar.gz/from/a/mirror
References
PHP Chunk_Split() Function Integer Overflow Vulnerability
References:
References:
- ChangeLog Version 5.2.3 (PHP)
- PHP 5.2.3 Release Announcement (PHP)
- PHP 5.2.4 Release Announcement (PHP)
- PHP Homepage (PHP)
- PHP Version 5.2.4 Changelog (PHP)
- SEC Consult SA-20070601-0 :: PHP chunk_split() integer overflow ([email protected])
- [security bulletin] HPSBUX02332 SSRT080056 rev.2 - HP-UX Running Apache With PHP ([email protected])
- [USN-549-1] PHP vulnerabilities (Kees Cook
) - ASA-2007-449 PHP security updates (RHSA-2007-0888, RHSA-2007-0889 & RHSA-2007-08 (Avaya)
- HPSBUX02308 SSRT080010 rev.1 - HP-UX Running Apache, Remote Execution of Arbitra (HP)
- RHSA-2007:0888-2 - php security update (Red Hat)
- RHSA-2007:0889-5 php security update (Red Hat)
- RHSA-2007:0890-2 php security update (Red Hat)
- RHSA-2007:0891-5 php security update (Red Hat)
- SUSE Security Advisory SUSE-SA:2008:004 (SUSE)
- SUSE Security Announcement SUSE-SA:2007:044 (SUSE)