PHP _SESSION Deserialization Overwrite Vulnerability

2007.04.01
Credit: Stefan Esser
Risk: Medium
Local: Yes
Remote: Yes
CWE: N/A

When register_globals is activated the deserialization of the session data can overwrite any global variable, including the _SESSION array. Because of its special implementation this can result in arbitrary code execution. Detailed information The summary says it all. For further clarification test the exploit. Proof of concept, exploit or instructions to reproduce The attached proof of concept code uses the substr_compare() information leak vulnerability to determine the offset to the shellcode and to a writeable address containing a NULL pointer. It then uses the described vulnerability to overwrite the _SESSION array with a fake Hashtable and trigger code execution. Notes Under normal situations this vulnerability can only be exploited locally. However it might be possible for a remote attacker to use an application vulnerability to inject a session data file onto the server. Many applications already contained holes like this. Through this vulnerability it is possible to execute arbitrary code on servers running such applications. The Suhosin Extension will protect you from this kind of attack in the default config, because session data is encrypted on the server and cannot be easily modified. SecurityReason Note : Exploit - http://securityreason.com/exploitalert/2220


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top