Vigil@nce: PHP, denial of service via zend_strndup
January 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can use one of the functions using
zend_strndup(), in order to dereference a NULL pointer, which
stops the PHP interpreter.
– Severity: 1/4
– Creation date: 16/01/2012
IMPACTED PRODUCTS
– PHP
DESCRIPTION OF THE VULNERABILITY
The C zend_strndup() function copies a string to a new buffer.
This C function is called by several PHP modules/functions:
– ext/soap/php_sdl
– ext/standard/syslog
– ext/standard/browscap
– ext/oci8/oci8
– ext/com_dotnet/com_typeinfo
– main/php_open_temporary_file
– etc.
When an allocation error occurs in zend_strndup(), it returns a
NULL pointer. However, modules indicated above do not check if the
return value is NULL.
A local attacker can therefore use one of the functions using
zend_strndup(), in order to dereference a NULL pointer, which
stops the PHP interpreter.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/PHP-denial-of-service-via-zend-strndup-11283