The PHP Session_Regenerate_ID function double free memory bugger
- 2020-03-31 21:32:35
- OfStack
SEBUG - ID: (link: http://sebug.net/vulndb/1491/)
SEBUG - Appdir: (link: http://sebug.net/appdir/PHP/)
Post date: March 17, 2007
Affected version:
PHP PHP 5.2.1
PHP PHP 5.1.6
PHP PHP 5.1.5
PHP PHP 5.1.4 ensuring
PHP PHP 5.1.3
PHP PHP 5.1.3
PHP PHP 5.1.2
PHP PHP 5.1.1
PHP PHP 5.1
PHP PHP 5.0.5
PHP PHP 5.0.4
PHP PHP 5.0.3
+ Trustix Secure Linux 2.2
PHP PHP 5.0.2
PHP PHP 5.0.1
PHP 5.0 candidate 3
PHP 5.0 candidate 2
PHP 5.0 candidate 1
PHP PHP 5.0. 0
PHP PHP 5.2
Vulnerability description:
PHP is a widely used WEB development scripting language.
The PHP Session_Regenerate_ID function has a double-release content corruption problem, which can be exploited by a remote attacker to perform a denial-of-service attack on the application, possibly resulting in arbitrary instruction execution.
The session_regenerate_id() function first releases the old session recognizer, and then immediately assigns the new value generated by the session recognizer generator:
But this assignment operation is not an atomic operation. Therefore, it can be interrupted by operations such as memory-bound conflicts, and, depending on your PHP configuration, the generator can either trigger a PHP error or cause an interrupt.
This problem can be easily exploited by registering a malicious user-space error handler. When this handler calls a HASH to be assigned to the same place as the previous session recognizer, the malicious error handler can then trigger the release of another previous session recognizer by calling the session_id() function and assigning the containing forged HASH to the same place as the HASH. When the user fault handler is complete, the overwritten HASH is deconstructed and the code provided by the attacker is invoked.
http://www.php-security.org/MOPB/MOPB-22-2007.html
Test method:
[www.sebug.net]
This site provides procedures (methods) may be offensive, only for safety research and teaching purposes, at your own risk!
http://www.php-security.org/MOPB/code/MOPB-22-2007.php
SEBUG security tips:
Currently no solution is provided:
Post date: March 17, 2007
Affected version:
PHP PHP 5.2.1
PHP PHP 5.1.6
PHP PHP 5.1.5
PHP PHP 5.1.4 ensuring
PHP PHP 5.1.3
PHP PHP 5.1.3
PHP PHP 5.1.2
PHP PHP 5.1.1
PHP PHP 5.1
PHP PHP 5.0.5
PHP PHP 5.0.4
PHP PHP 5.0.3
+ Trustix Secure Linux 2.2
PHP PHP 5.0.2
PHP PHP 5.0.1
PHP 5.0 candidate 3
PHP 5.0 candidate 2
PHP 5.0 candidate 1
PHP PHP 5.0. 0
PHP PHP 5.2
Vulnerability description:
PHP is a widely used WEB development scripting language.
The PHP Session_Regenerate_ID function has a double-release content corruption problem, which can be exploited by a remote attacker to perform a denial-of-service attack on the application, possibly resulting in arbitrary instruction execution.
The session_regenerate_id() function first releases the old session recognizer, and then immediately assigns the new value generated by the session recognizer generator:
PHP_FUNCTION(session_regenerate_id)
{
...
if (PS(id)) {
...
efree(PS(id));
}
PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
PS(send_cookie) = 1;
php_session_reset_id(TSRMLS_C);
RETURN_TRUE;
}
RETURN_FALSE;
}
But this assignment operation is not an atomic operation. Therefore, it can be interrupted by operations such as memory-bound conflicts, and, depending on your PHP configuration, the generator can either trigger a PHP error or cause an interrupt.
PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS)
{
...
switch (PS(hash_func)) {
...
default:
php_error_docref(NULL TSRMLS_CC, E_ERROR, "Invalid session hash function");
efree(buf);
return NULL;
}
...
if (PS(hash_bits_per_character) < 4
|| PS(hash_bits_per_character) > 6) {
PS(hash_bits_per_character) = 4;
php_error_docref(NULL TSRMLS_CC, E_WARNING, "The ini setting hash_bits_per_character...");
}
...
This problem can be easily exploited by registering a malicious user-space error handler. When this handler calls a HASH to be assigned to the same place as the previous session recognizer, the malicious error handler can then trigger the release of another previous session recognizer by calling the session_id() function and assigning the containing forged HASH to the same place as the HASH. When the user fault handler is complete, the overwritten HASH is deconstructed and the code provided by the attacker is invoked.
http://www.php-security.org/MOPB/MOPB-22-2007.html
Test method:
[www.sebug.net]
This site provides procedures (methods) may be offensive, only for safety research and teaching purposes, at your own risk!
http://www.php-security.org/MOPB/code/MOPB-22-2007.php
SEBUG security tips:
Currently no solution is provided: