SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

PHP unserialize() 64 bit Array Creation Denial of Service Vulnerability


Arrow  SecurityAlert : 2315
Arrow  CVE : CVE-2007-0988
Arrow  SecurityRisk : Medium  Security Risk Medium  (About)
Arrow  Remote Exploit : No
Arrow  Local Exploit : Yes
Arrow  Exploit Available : Yes
Arrow  Credit : Stefan Esser
Arrow  Published : 03.03.2007

Arrow  Affected Software : Affected is PHP 4.4.4/5.2.0 and below.



Arrow  Advisory Content :  

A user supplied serialized string might trigger on 64 bit systems a tight
endless loop within zend_hash_init() exhausting CPU ressources.

Before PHP 4.3.11 was released it was discovered that there is a problem in
the unserialize() function that could be exploited to produce a tight
endless loop inside zend_hash_init() through a negative array element count
stored inside the serialized string.

This was fixed by raising an error when a negative integer value was found
before it was passed to the zend_hash_init() function. When such a value
was passed down to that function is resulted in a shift left integer
overflow that caused a tight endless loop.

A while later there were troubles with unserialize() on 64bit systems which
resulted in several variables being changed from the 'int' to 'long' type.
Unfortunately zend_hash_init() still works with 'int's and therefore only
the lower 32 bit of the number are passed from unserialize() to
zend_hash_init().

Therefore the protection against negative element counts was no longer
working, because on a 64bit system a 32bit number inside a signed 'long'
can still be positive.
Proof of concept, exploit or instructions to reproduce

To reproduce it just try the following PHP code on a 64bit system.

<?php unserialize("a:2147483649:{"); ?>

Notes

PHP 4.4.5 and PHP 5.2.1 already contain fixes for this vulnerability.

You should also keep in mind that the script will still be terminated after
the maximum execution time. However when this time is for example set to 30
seconds and 10 requests are sent that trigger the endless loop, this will
result in a 100% CPU load situation for 5 minutes.




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc:fts_*() Multiple Denial of Service

Security Risk Medium- 2009-10-02

The fts functions are provided for traversing UNIX file hierarchies...
Apache RSS Apache Alert

» Apache 1.3.41 mod_proxy
   Integer overflow (code
   execution)

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion in work
   directory

» Apache Tomcat 6.0.20 and
   5.5.28 insecure partial
   deploy after failed
   undeploy

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion and/or
   alteration
PHP RSS PHP Alert

» PHP 5.2.12/5.3.1
   session.save_path
   safe_mode and
   open_basedir bypass

» PHP 5.2.12/5.3.1 Multiple
   Vulnerabilities

» PHP 5.2.11 libgd multiple
   vulnerabilities

» PHP 5.2.11 tempnam()
   safe_mode bypass
Copyright © SecurityReason.com. All Rights Reserved.