Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.md
poc.php

README.md

CVE-2011-1092

Experiment Environment

Ubuntu 11.04

INSTALL & Configuration

wget https://github.com/mudongliang/source-packages/raw/master/CVE-2011-1092/php-5.3.3.tar.gz
tar -xvf php-5.3.3.tar.gz
cd php-5.3.3
./configure
make

Problems in Installation & Configuration

How to trigger vulnerability

./sapi/cli/php poc.php

PoCs

PHP 5.3.6 - 'shmop_read()' Integer Overflow Denial of Service

Integer overflow in shmop_read()

PHP <= 5.3.6 shmop_read() Integer Overflow DoS

Vulnerability Details & Patch

Root Cause

The problem is in the shmop_read php function, in the file ext/shmop/shmop.c. This functions reads a given number of bytes from memory, at a given offset starting from a shared memory area.

string shmop_read (int shmid, int start, int count)

Inside the code of the function itself, there are checks in the start parameter and in the count parameter, to avoid reading arbitrary memory outside the shared memory object:

if (start < 0 || start > shmop->size) {
    php_error_docref(NULL TSRMLS_CC, E_WARNING, "start is out of range");
    RETURN_FALSE;
}

if (start + count > shmop->size || count < 0) {
    php_error_docref(NULL TSRMLS_CC, E_WARNING, "count is out of range");
    RETURN_FALSE;
}

The first block check if start is lower than 0 or bigger than the size of the shared memory area.

The second block checks that the SUM (ADDITION) of "start" and "count" is not greater than the shared memory area, and later checks if count its not lower than 0.

Stack Trace

Patch

http://svn.php.net/viewvc/php/php-src/trunk/ext/shmop/shmop.c?r1=309018&r2=309017&pathrev=309018

References

You can’t perform that action at this time.