FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

php -- memory_limit related vulnerability

Affected packages
mod_php4-twig <= 4.3.7_3
php4 <= 4.3.7_3
php4-cgi <= 4.3.7_3
php4-cli <= 4.3.7_3
php4-dtc <= 4.3.7_3
php4-horde <= 4.3.7_3
php4-nms <= 4.3.7_3
mod_php4 <= 4.3.7_3,1
php5 <= 5.0.0.r3_2
php5-cgi <= 5.0.0.r3_2
php5-cli <= 5.0.0.r3_2
mod_php5 <= 5.0.0.r3_2,1

Details

VuXML ID dd7aa4f1-102f-11d9-8a8a-000c41e2cdad
Discovery 2004-07-07
Entry 2004-09-27
Modified 2004-10-02

Stefan Esser of e-matters discovered a condition within PHP that may lead to remote execution of arbitrary code. The memory_limit facility is used to notify functions when memory contraints have been met. Under certain conditions, the entry into this facility is able to interrupt functions such as zend_hash_init() at locations not suitable for interruption. The result would leave these functions in a vulnerable state.

An attacker that is able to trigger the memory_limit abort within zend_hash_init() and is additionally able to control the heap before the HashTable itself is allocated, is able to supply his own HashTable destructor pointer. [...]

All mentioned places outside of the extensions are quite easy to exploit, because the memory allocation up to those places is deterministic and quite static throughout different PHP versions. [...]

Because the exploit itself consist of supplying an arbitrary destructor pointer this bug is exploitable on any platform.

References

Bugtraq ID 10725
CVE Name CVE-2004-0594
Message 20040713225329.GA26865@e-matters.de
URL http://security.e-matters.de/advisories/112004.html