1 |
- -------------------------------------------------------------------- |
2 |
GENTOO LINUX SECURITY ANNOUNCEMENT |
3 |
- -------------------------------------------------------------------- |
4 |
|
5 |
PACKAGE :php,mod_php |
6 |
SUMMARY :Vulnerable data handler |
7 |
DATE :2002-07-22 16:51:00 |
8 |
|
9 |
- -------------------------------------------------------------------- |
10 |
|
11 |
OVERVIEW |
12 |
|
13 |
E-matters has discovered a serious vulnerability within the default |
14 |
version of PHP. Depending on the processor architecture it may be |
15 |
possible for a remote attacker to either crash or compromise the web |
16 |
server. |
17 |
|
18 |
|
19 |
DETAIL |
20 |
|
21 |
PHP 4.2.0 introduced a completely rewritten multipart/form-data POST |
22 |
handler.While I was working on the code in my role as PHP developer i |
23 |
found a bug within the way the mime headers are processed. A malformed |
24 |
POST request can trigger an error condition, that is not correctly |
25 |
handled. Due to this bug it could happen that an uninitialised struct |
26 |
gets appended to the linked list of mime headers.When the lists gets |
27 |
cleaned or destroyed PHP tries to free the pointers that are expected in |
28 |
the struct. Because of the lack of initialisation those pointers |
29 |
contain stuff that was left on the stack by previous function calls. |
30 |
|
31 |
On the IA32 architecture (aka. x86) it is not possible to control what |
32 |
will end up in the uninitialised struct because of the stack layout. All |
33 |
possible code paths leave illegal addresses within the struct and PHP |
34 |
will crash when it tries to free them. |
35 |
|
36 |
Unfortunately the situation is absolutely different if you look on a |
37 |
solaris sparc installation. Here it is possible for an attacker to free |
38 |
chunks of memory that are full under his control. This is most probably |
39 |
the case for several more non IA32 architectures. |
40 |
|
41 |
Please note that exploitability is not only limited to systems that are |
42 |
running malloc()/free() implementations that are known to be vulnerable |
43 |
to control structure overwrites. This is because the internal PHP memory |
44 |
managment implements its own linked list system that can be used to |
45 |
overwrite nearly arbitrary memory addresses. |
46 |
|
47 |
|
48 |
SOLUTION |
49 |
|
50 |
It is recommended that all Gentoo Linux users update their systems as |
51 |
follows. |
52 |
|
53 |
emerge --clean rsync |
54 |
emerge php mod_php |
55 |
emerge clean |
56 |
|
57 |
Manually: |
58 |
|
59 |
Download the new php package here and follow in file instructions: |
60 |
http://www.php.net/distributions/php-4.2.2.tar.gz |
61 |
|
62 |
Workaround: |
63 |
|
64 |
If the PHP applications on an affected web server do not rely on HTTP |
65 |
POST input from user agents, it is often possible to deny POST requests |
66 |
on the web server. |
67 |
|
68 |
In the Apache web server, for example, this is possible with the |
69 |
following code included in the main configuration file or a top-level |
70 |
|
71 |
. htaccess file: |
72 |
|
73 |
<Limit POST> |
74 |
Order deny,allow |
75 |
Deny from all |
76 |
|
77 |
</Limit> |
78 |
|
79 |
Note that an existing configuration and/or .htaccess file may have |
80 |
parameters contradicting the example given above. |
81 |
|
82 |
- -------------------------------------------------------------------- |
83 |
Ferry Meyndert |
84 |
m0rpheus@g.o |
85 |
http://www.gentoo.org/~m0rpheus |
86 |
- -------------------------------------------------------------------- |