PHP session_regenerate_id function Double free Memory Corruption Vulnerability _php Tutorial

sebug-id:1491sebug-appdir:php
Date: 2007-03-17
Impact Version:
PHP php 5.2.1
PHP php 5.1.6
PHP php 5.1.5
PHP php 5.1.4
PHP php 5.1.3
PHP php 5.1.3
PHP php 5.1.2
PHP php 5.1.1
PHP PHP 5.1
PHP php 5.0.5
PHP php 5.0.4
PHP php 5.0.3
+ Trustix Secure Linux 2.2
PHP php 5.0.2
PHP php 5.0.1
PHP PHP 5.0 Candidate 3
PHP PHP 5.0 candidate 2
PHP PHP 5.0 Candidate 1
PHP PHP 5.0.0
PHP PHP 5.2
Vulnerability Description:
PHP is a widely used web development scripting language.
The PHP session_regenerate_id function has a dual-release content corruption problem that can be exploited by a remote attacker to perform a denial-of-service attack on an application that could lead to arbitrary instruction execution.
The session_regenerate_id () function first releases the old session recognizer and immediately assigns the new values generated by the session recognition generator:
Copy CodeThe code is as follows:
Php_function (session_regenerate_id)
{
...
if (PS (ID)) {
...
Efree (PS (id));
}
PS (id) = PS (mod)->s_create_sid (&ps (mod_data), NULL tsrmls_cc);
PS (Send_cookie) = 1;
PHP_SESSION_RESET_ID (Tsrmls_c);
Return_true;
}
Return_false;
}

However, this allocation operation is not an atomic operation. This can be interrupted by a memory-constrained conflict operation, and, depending on the PHP configuration, the generator can trigger PHP errors and can cause an interrupt.
Copy CodeThe code is as follows:
Phpapi Char *php_session_create_id (Ps_create_sid_args)
{
...
Switch (PS (hash_func)) {
...
Default
Php_error_docref (NULL tsrmls_cc, E_error, "Invalid session hash function");
Efree (BUF);
return NULL;
}
...
if (PS (Hash_bits_per_character) < 4
|| PS (Hash_bits_per_character) > 6) {
PS (Hash_bits_per_character) = 4;
Php_error_docref (NULL tsrmls_cc, e_warning, "The INI setting hash_bits_per_character ...");
}
...

This issue can be easily exploited by registering a malicious user space error handler. When this processor calls a hash table to be assigned to the same place as the former session recognizer, then the malicious error handler can call the session_id () function and allocate the same place as the hash table that contains the forged hash table, which triggers another release of the previous session recognizer. When the user error handler is complete, the overwritten hash table is deconstructed and the attacker's code is invoked.
Http://www.php-security.org/MOPB/MOPB-22-2007.html
Test method:
[Www.sebug.net]
The site provider (method) may be offensive, only for security research and teaching purposes, at your own risk!
http://www.php-security.org/MOPB/code/MOPB-22-2007.php
SEBUG Safety Recommendations:
There are currently no solutions available:

http://www.bkjia.com/PHPjc/322795.html www.bkjia.com true http://www.bkjia.com/PHPjc/322795.html techarticle sebug-id:1491 sebug-appdir:php Release Date: 2007-03-17 impact version: PHP php 5.2.1 php php 5.1.6 php php 5.1.5 php php 5.1.4 php php 5 .1.3 php php 5.1.3 php php 5.1.2 php php 5.1.1 ...

