php5.2.3 remote CGI buffer overflow vulnerability 2008-02-16 11:41
php5.2.3 remote CGI buffer overflow vulnerability
yuangehttp://hi.baidu.com/yuange1975
Affected version: php5.2.3
Does not affect version: other versions
When php5.2.3 is processing CGI, due to a programming error (missing brackets), the length of a string is miscalculated, resulting in a heap buffer overflow, which may remotely execute arbitrary code.
Trigger method: configure the CGI mapping from .php to php.exe, request GET /test.php/aa HTTP/1.1
The error occurred at php-5.2.3\sapi\cgi\cgi-man.cline 886:
int path_translated_len = ptlen +env_path_info ? strlen(env_path_info) : 0;
The program should be
int path_translated_len =ptlen + (env_path_info ? strlen(env_path_info) : 0);
Program processing flow:
main()
{
......
init_request_info(TSRMLS_C);
......
}
static voidinit_request_info(TSRMLS_D)
{
......
int path_translated_len = ptlen +env_path_info ? strlen(env_path_info) : 0;
......
path_translated = (char *)emalloc(path_translated_len + 1);
......
if (env_path_info) {
memcpy(path_translated + ptlen,env_path_info, path_translated_len - ptlen);
}
}
================ AppNinja learning master article dividing line ================================
https://blog.csdn.net/a2831942318
=================================================================
Study time: 2023-03-17
Compilation environment: VS2022x64
#define TSRMLS_D 1
static void init_request_info(int Flag)
{
int ptlen = 5;
const char* env_path_info = "aa";
int path_translated_len = ptlen + env_path_info ?strlen(env_path_info) : 0;
char* path_translated = (char*)malloc(path_translated_len+ 1); // emalloc->malloc
if (env_path_info) {
size_t nMemcpyLen =path_translated_len - ptlen;
memcpy(path_translated + ptlen,env_path_info, nMemcpyLen);
}
}
/*
1. When ptlen = 5; env_path_info = NULL, the code enters strlen(NULL) and crashes.
2. When ptlen = 5; env_path_info = "aa", path_translated_len is 2, malloc allocates 3,
nMemcpyLen=2-5=0xfffffffd
Executed memcpy(path_translated+5, env_path_info, 0xfffffffd);
*/
1. When ptlen = 5; env_path_info = NULL, the code enters strlen(NULL) and crashes.
Knowledge point: C language has 15 levels of priority:
Level (highest to lowest) Operator (separated by spaces) Associativity
1 () [] -> . from left to right
2 ! ~ ++ -- + - * (type) sizeof right to left
3 * / % from left to right
4 + - left to right
5 << >> from left to right
6 < <= > >= from left to right
7 == != left to right
8 & left to right
9 ^ left to right
10 | left to right
11 && from left to right
12 || left to right
13 ?: right to left
14 = += -= *= /= %= &= ^= |= <<= >>= right to left
15 , from left to right
The conditional ternary expression "?:" is the third-last priority among the 15 priority levels of the C language.
The code first performs the addition operation:
int path_translated_len = ptlen + env_path_info ?strlen(env_path_info) : 0;
2. When ptlen = 5; env_path_info = "aa", path_translated_len is 2, malloc allocates 3,
nMemcpyLen= 2 -5 = 0xfffffffd,
Executed memcpy(path_translated+5, env_path_info, 0xfffffffd);