Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 18 May 2015 15:43:54 -0700
From: Stanislav Malyshev <smalyshev@...il.com>
To: Andrea Palazzo <andrea.palazzo@...el.it>
CC: oss-security@...ts.openwall.com, security@....net
Subject: Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based
 memory corruption

Hi!

> About code execution, I haven't had the chance to focus on actual
> exploitation yet (I surely will in the near future), but as you can see
> from the original report (https://bugs.php.net/bug.php?id=69403), I
> pointed out several cases in which working on a so-crafted zval would
> lead to invalid memory access (with user controlled values as well), so
> I am pretty confident it is achievable.

These examples all seem to require specific code (like
'md5(str_repeat("a", 4294967294-1));') to be run. The probability that
applications would contain this specific code with str_repeat argument
controlled by remote user seems to be pretty low. However, if you can
show exploiting this on a code of an application that is not specially
crafted to demonstrate this issue, or at least resembles code that is
likely to be deployed in a real application, I will gladly change my
opinion.

-- 
Stas Malyshev
smalyshev@...il.com

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ