Home / os / win7

PHP 5.3.3 ibase_gen_id() off-by-one Overflow Vulnerability

Posted on 18 August 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>PHP 5.3.3 ibase_gen_id() off-by-one Overflow Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==========================================================
PHP 5.3.3 ibase_gen_id() off-by-one Overflow Vulnerability
==========================================================

=== Vulnerability ===
PHP 5.3.3 (Possible All versions) ibase_gen_id() off-by-one overflow
 
=== Author ===
cb
 
=== Description ===
User-supplied variable &quot;generator&quot; copied to 128 byte buffer &quot;query&quot;
size of query variable. So
its cause off-by-one overflow. You can see [1] snprintf copy statement
to &quot;query&quot; variable.
 
/* {{{ proto int ibase_gen_id(string generator [, int increment [,
resource link_identifier ]])
   Increments the named generator and returns its new value */
PHP_FUNCTION(ibase_gen_id)
{
    zval *link = NULL;
    char query[128], *generator;
    int gen_len;
    long inc = 1;
    ibase_db_link *ib_link;
    ibase_trans *trans = NULL;
    XSQLDA out_sqlda;
    ISC_INT64 result;
 
    RESET_ERRMSG;
 
    if (FAILURE == zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC,
&quot;s|lr&quot;, &amp;generator, &amp;gen_len,
            &amp;inc, &amp;link)) {
        RETURN_FALSE;
    }
 
    PHP_IBASE_LINK_TRANS(link, ib_link, trans);
     
    [1] snprintf(query, sizeof(query), &quot;SELECT GEN_ID(%s,%ld) FROM
rdb$database&quot;, generator, inc);
...
}  
 
=== Patch ===
    Replace [1] with [2].
     
    --- [1] snprintf(query, sizeof(query), &quot;SELECT GEN_ID(%s,%ld) FROM
rdb$database&quot;, generator, inc);
    +++ [2] snprintf(query, sizeof(query) - 1  &quot;SELECT GEN_ID(%s,%ld)
FROM rdb$database&quot;, generator, inc);
 
===========================================================================
Download:
http://www.inj3ct0r.com/sploits/13732.zip


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-18]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP