Home > Article > Backend Development > PHP Session_Regenerate_ID function double release memory corruption vulnerability_PHP tutorial
PHP Session_Regenerate_ID function double release memory corruption vulnerability_PHP tutorial
- WBOYOriginal
- 2016-07-21 15:32:311036browse
SEBUG-ID:1491
SEBUG-Appdir:PHP
Release time: 2007-03-17
Affected versions:
PHP PHP 5.2.1
PHP PHP 5.1.6
PHP PHP 5.1.5
PHP PHP 5.1.4
PHP PHP 5.1.3
PHP PHP 5.1.3
PHP PHP 5.1.2
PHP PHP 5.1.1
PHP PHP 5.1
PHP PHP 5.0.5
PHP PHP 5.0.4
PHP PHP 5.0.3
+ Trustix Secure Linux 2.2
PHP PHP 5.0.2
PHP PHP 5.0.1
PHP PHP 5.0 candidate 3
PHP PHP 5.0 candidate 2
PHP PHP 5.0 candidate 1
PHP PHP 5.0 .0
PHP PHP 5.2
Vulnerability description:
PHP is a widely used WEB development script language.
The PHP Session_Regenerate_ID function has a double-release content corruption issue. Remote attackers can use this vulnerability to conduct denial-of-service attacks on applications, which may lead to the execution of arbitrary instructions. The
session_regenerate_id() function first releases the old session identifier and then immediately assigns the new value generated by the session identifier generator:
PHP_FUNCTION(session_regenerate_id)
{
...
if (PS(id)) {
...
efree(PS( id));
}
PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
PS(send_cookie) = 1;
php_session_reset_id(TSRMLS_C );
RETURN_TRUE;
}
RETURN_FALSE;
}
But this allocation operation is not an atomic operation. Therefore, it can be interrupted by operations such as memory limit violations. Additionally, depending on the PHP configuration, the generator can trigger a PHP error or cause an interrupt.
PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS)
{
...
switch (PS(hash_func)) {
...
default:
php_error_docref(NULL TSRMLS_CC, E_ERROR, "Invalid session hash function");
efree(buf);
return NULL;
}
...
if (PS(hash_bits_per_character) < 4
|| PS(hash_bits_per_character) > 6) {
PS(hash_bits_per_character) = 4;
php_error_docref(NULL TSRMLS_CC, E_WARNING, "The ini setting hash_bits_per_character...");
}
...
Comparable by registering a malicious userspace error handler Easy to exploit this problem. When this handler calls a hash table allocated to the same place as the previous session identifier, then a malicious error handler can trigger another previous session by calling the session_id() function and allocating a hash table containing the fake hash table to the same place as the hash table. The release operation of the recognizer. When the user error handler completes, it will deconstruct the overwritten HASH table and call the code provided by the attacker.
http://www.php-security.org/MOPB/MOPB-22-2007.html
Test method:
[www.sebug.net]
This site provides programs (methods) It may be offensive and is for security research and teaching purposes only, at your own risk!
http://www.php-security.org/MOPB/code/MOPB-22-2007.php
SEBUG security recommendations :
There is currently no solution provided:
Release time: 2007-03-17
Affected versions:
PHP PHP 5.2.1
PHP PHP 5.1.6
PHP PHP 5.1.5
PHP PHP 5.1.4
PHP PHP 5.1.3
PHP PHP 5.1.3
PHP PHP 5.1.2
PHP PHP 5.1.1
PHP PHP 5.1
PHP PHP 5.0.5
PHP PHP 5.0.4
PHP PHP 5.0.3
+ Trustix Secure Linux 2.2
PHP PHP 5.0.2
PHP PHP 5.0.1
PHP PHP 5.0 candidate 3
PHP PHP 5.0 candidate 2
PHP PHP 5.0 candidate 1
PHP PHP 5.0 .0
PHP PHP 5.2
Vulnerability description:
PHP is a widely used WEB development script language.
The PHP Session_Regenerate_ID function has a double-release content corruption issue. Remote attackers can use this vulnerability to conduct denial-of-service attacks on applications, which may lead to the execution of arbitrary instructions. The
session_regenerate_id() function first releases the old session identifier and then immediately assigns the new value generated by the session identifier generator:
Copy code The code is as follows:
PHP_FUNCTION(session_regenerate_id)
{
...
if (PS(id)) {
...
efree(PS( id));
}
PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
PS(send_cookie) = 1;
php_session_reset_id(TSRMLS_C );
RETURN_TRUE;
}
RETURN_FALSE;
}
But this allocation operation is not an atomic operation. Therefore, it can be interrupted by operations such as memory limit violations. Additionally, depending on the PHP configuration, the generator can trigger a PHP error or cause an interrupt.
Copy code The code is as follows:
PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS)
{
...
switch (PS(hash_func)) {
...
default:
php_error_docref(NULL TSRMLS_CC, E_ERROR, "Invalid session hash function");
efree(buf);
return NULL;
}
...
if (PS(hash_bits_per_character) < 4
|| PS(hash_bits_per_character) > 6) {
PS(hash_bits_per_character) = 4;
php_error_docref(NULL TSRMLS_CC, E_WARNING, "The ini setting hash_bits_per_character...");
}
...
Comparable by registering a malicious userspace error handler Easy to exploit this problem. When this handler calls a hash table allocated to the same place as the previous session identifier, then a malicious error handler can trigger another previous session by calling the session_id() function and allocating a hash table containing the fake hash table to the same place as the hash table. The release operation of the recognizer. When the user error handler completes, it will deconstruct the overwritten HASH table and call the code provided by the attacker.
http://www.php-security.org/MOPB/MOPB-22-2007.html
Test method:
[www.sebug.net]
This site provides programs (methods) It may be offensive and is for security research and teaching purposes only, at your own risk!
http://www.php-security.org/MOPB/code/MOPB-22-2007.php
SEBUG security recommendations :
There is currently no solution provided:
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Previous article:PHP study notes one_PHP tutorialNext article:PHP study notes one_PHP tutorial