Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 18 May 2015 11:01:14 +0200
From: Andrea Palazzo <andrea.palazzo@...el.it>
To: Stanislav Malyshev <smalyshev@...il.com>, cve-assign@...re.org
CC: oss-security@...ts.openwall.com, security@....net
Subject: Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based
 memory corruption

Hi Stas,
while I agree on what you say about the huge memory allocation needed, I 
wouldn't say this requires the ability to run arbitrary code, 
controlling str_repeat() arguments it's enough to create a corrupted 
zval and injecting an eventual payload somewhere in memory (which, 
again, is unlikely but possible).
About code execution, I haven't had the chance to focus on actual 
exploitation yet (I surely will in the near future), but as you can see 
from the original report (https://bugs.php.net/bug.php?id=69403), I 
pointed out several cases in which working on a so-crafted zval would 
lead to invalid memory access (with user controlled values as well), so 
I am pretty confident it is achievable.


On 18/05/2015 10:35, Stanislav Malyshev wrote:
> Hi!
>
>> Hi everyone,
>> this is intended as CVE Request and advisory for
>> https://bugs.php.net/bug.php?id=69403.
> I do not think this requires a CVE as this needs specially crafted PHP
> script (i.e. local access or ability to run arbitrary PHP code) and
> memory settings allowing to allocate huge (>4G) values, which seems to
> be unlikely to happen on a common production system. I am not sure how
> remote code execution vector can be provided for this issue, if you have
> an example, please clarify.
>
> Thanks,

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ