PHP 5.6 heap-based buffer overflow in DNS TXT record parsing

2014-06-12 / 2014-06-13
Credit: Stefan Esser
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 5.1/10
Impact Subscore: 6.4/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Stefan Esser pointed out that the following commit fixes a heap-based buffer overflow in DNS TXT record parsing: https://github.com/php/php-src/commit/b34d7849ed90ced9345f8ea1c59bc8d101c18468 A malicious server or man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application uses dns_get_record() to perform a DNS query. Can a CVE please be assigned if one has not been already? (Red Hat bug with no further details: https://bugzilla.redhat.com/show_bug.cgi?id=1108447) ext/standard/dns.c @@ -517,6 +517,10 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int while (ll < dlen) { n = cp[ll]; + if ((ll + n) >= dlen) { + // Invalid chunk length, truncate + n = dlen - (ll + 1); + } memcpy(tp + ll , cp + ll + 1, n); add_next_index_stringl(entries, cp + ll + 1, n, 1); ll = ll + n + 1;

References:

http://seclists.org/oss-sec/2014/q2/516
https://github.com/php/php-src/commit/b34d7849ed90ced9345f8ea1c59bc8d101c18468
https://bugzilla.redhat.com/show_bug.cgi?id=1108447


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top