FreeBSD : php -- memory_limit related vulnerability (dd7aa4f1-102f-11d9-8a8a-000c41e2cdad)

medium Nessus Plugin ID 19143

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Stefan Esser of e-matters discovered a condition within PHP that may lead to remote execution of arbitrary code. The memory_limit facility is used to notify functions when memory contraints have been met.
Under certain conditions, the entry into this facility is able to interrupt functions such as zend_hash_init() at locations not suitable for interruption. The result would leave these functions in a vulnerable state.

An attacker that is able to trigger the memory_limit abort within zend_hash_init() and is additionally able to control the heap before the HashTable itself is allocated, is able to supply his own HashTable destructor pointer. [...]

All mentioned places outside of the extensions are quite easy to exploit, because the memory allocation up to those places is deterministic and quite static throughout different PHP versions.
[...]

Because the exploit itself consist of supplying an arbitrary destructor pointer this bug is exploitable on any platform.

Solution

Update the affected packages.

See Also

https://marc.info/?l=bugtraq&m=108981780109154

http://www.nessus.org/u?83c215d0

http://www.nessus.org/u?9502549c

Plugin Details

Severity: Medium

ID: 19143

File Name: freebsd_pkg_dd7aa4f1102f11d98a8a000c41e2cdad.nasl

Version: 1.20

Type: local

Published: 7/13/2005

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.5

CVSS v2

Risk Factor: Medium

Base Score: 5.1

Temporal Score: 4.2

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:mod_php4, p-cpe:/a:freebsd:freebsd:mod_php4-twig, p-cpe:/a:freebsd:freebsd:mod_php5, p-cpe:/a:freebsd:freebsd:php4, p-cpe:/a:freebsd:freebsd:php4-cgi, p-cpe:/a:freebsd:freebsd:php4-cli, p-cpe:/a:freebsd:freebsd:php4-dtc, p-cpe:/a:freebsd:freebsd:php4-horde, p-cpe:/a:freebsd:freebsd:php4-nms, p-cpe:/a:freebsd:freebsd:php5, p-cpe:/a:freebsd:freebsd:php5-cgi, p-cpe:/a:freebsd:freebsd:php5-cli, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/27/2004

Vulnerability Publication Date: 7/7/2004

Exploitable With

CANVAS (CANVAS)

Reference Information

CVE: CVE-2004-0594

BID: 10725