Analysis of integer overflow vulnerability in chunk_split() function under PHP5.2

Home

Backend Development

PHP Tutorial

Analysis of integer overflow vulnerability in chunk_split() function under PHP5.2_PHP Tutorial

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jul 21, 2016 pm 03:55 PM

phpsplitDownfunctionanalyzeInfluenceintegeroverflowloopholessystem

Affected systems:
PHP PHP Unaffected systems:
PHP PHP 5.2.3
Description:
------------ -------------------------------------------------- ------------------
BUGTRAQ ID: 24261
CVE(CAN) ID: CVE-2007-2872

PHP is a popular WEB server-side programming language.

The chunk_split function in PHP has an integer overflow vulnerability when processing malformed parameters. Local attackers may use this vulnerability to escalate their own privileges.

Line 1963 of the chunk_split function in PHP attempts to allocate sufficient memory size for the function result, but uses the srclen and chunklen parameter blocks without performing any checks. If the block and endlen of the value are larger than 65534 bytes, an integer overflow will be triggered and the wrong memory size will be allocated, causing a heap overflow.

ext/standard/string.c：

1953 static char *php_chunk_split(char *src, int srclen, char *end,
int endlen, int chunklen, int *destlen)
1954 {
1955 char *dest;
1956 char *p, *q;
1957 int chunks; /* complete chunks! */
1958 int restlen;
1959
1960 chunks = srclen / chunklen;
1961 restlen = srclen - chunks * chunklen; /* srclen % chunklen */
1962
1963 dest = safe_emalloc((srclen + (chunks + 1) * endlen + 1),
sizeof(char), 0);
1964
1965 for (p = src, q = dest; p 1966 memcpy(q, p, chunklen);
1967 q += chunklen;
1968 memcpy(q, end, endlen);
1969 q += endlen;
1970 p += chunklen ;
1971 }

Link: http://marc.info/?l=bugtraq&m=118071054000708&w=2
http:// www.php.net/releases/5_2_3.php
http://secunia.com/advisories/25456/
*>

Test method:
------ -------------------------------------------------- --------------------------

Warning

The following procedures (methods) may be offensive and are only for For security research and teaching purposes. Use at your own risk!

$a=str_repeat("A", 65535);
$b=1;
$c=str_repeat("A", 65535);
chunk_split($a,$b,$c);
?>

Suggestion:
--------------------- -------------------------------------------------- ----------
Manufacturer patch:

PHP
---
Currently, the manufacturer has released an upgrade patch to fix this security issue. Please go to the manufacturer's homepage to download it. ：

http://www.php.net/downloads.php#v5

Article from: NSFOCUS Technology

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

What data can be stored in a PHP session?May 02, 2025 am 12:17 AM

PHPsessionscanstorestrings,numbers,arrays,andobjects.1.Strings:textdatalikeusernames.2.Numbers:integersorfloatsforcounters.3.Arrays:listslikeshoppingcarts.4.Objects:complexstructuresthatareserialized.

How do you start a PHP session?May 02, 2025 am 12:16 AM

TostartaPHPsession,usesession_start()atthescript'sbeginning.1)Placeitbeforeanyoutputtosetthesessioncookie.2)Usesessionsforuserdatalikeloginstatusorshoppingcarts.3)RegeneratesessionIDstopreventfixationattacks.4)Considerusingadatabaseforsessionstoragei

What is session regeneration, and how does it improve security?May 02, 2025 am 12:15 AM

Session regeneration refers to generating a new session ID and invalidating the old ID when the user performs sensitive operations in case of session fixed attacks. The implementation steps include: 1. Detect sensitive operations, 2. Generate new session ID, 3. Destroy old session ID, 4. Update user-side session information.

What are some performance considerations when using PHP sessions?May 02, 2025 am 12:11 AM

PHP sessions have a significant impact on application performance. Optimization methods include: 1. Use a database to store session data to improve response speed; 2. Reduce the use of session data and only store necessary information; 3. Use a non-blocking session processor to improve concurrency capabilities; 4. Adjust the session expiration time to balance user experience and server burden; 5. Use persistent sessions to reduce the number of data read and write times.

How do PHP sessions differ from cookies?May 02, 2025 am 12:03 AM

PHPsessionsareserver-side,whilecookiesareclient-side.1)Sessionsstoredataontheserver,aremoresecure,andhandlelargerdata.2)Cookiesstoredataontheclient,arelesssecure,andlimitedinsize.Usesessionsforsensitivedataandcookiesfornon-sensitive,client-sidedata.

How does PHP identify a user's session?May 01, 2025 am 12:23 AM

PHPidentifiesauser'ssessionusingsessioncookiesandsessionIDs.1)Whensession_start()iscalled,PHPgeneratesauniquesessionIDstoredinacookienamedPHPSESSIDontheuser'sbrowser.2)ThisIDallowsPHPtoretrievesessiondatafromtheserver.

What are some best practices for securing PHP sessions?May 01, 2025 am 12:22 AM

The security of PHP sessions can be achieved through the following measures: 1. Use session_regenerate_id() to regenerate the session ID when the user logs in or is an important operation. 2. Encrypt the transmission session ID through the HTTPS protocol. 3. Use session_save_path() to specify the secure directory to store session data and set permissions correctly.

Where are PHP session files stored by default?May 01, 2025 am 12:15 AM

PHPsessionfilesarestoredinthedirectoryspecifiedbysession.save_path,typically/tmponUnix-likesystemsorC:\Windows\TemponWindows.Tocustomizethis:1)Usesession_save_path()tosetacustomdirectory,ensuringit'swritable;2)Verifythecustomdirectoryexistsandiswrita

See all articles

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

What's New in Windows 11 KB5054979 & How to Fix Update Issues

4 weeks agoByDDD

How to fix KB5055523 fails to install in Windows 11?

3 weeks agoByDDD

InZoi: How To Apply To School And University

1 months agoByDDD

How to fix KB5055518 fails to install in Windows 10?

3 weeks agoByDDD

Where to find the Site Office Key in Atomfall

4 weeks agoByDDD

Hot Tools

mPDF

mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),