News
Vigil@nce - Suhosin PHP Extension: buffer overflow via cookie
February 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
In a special configuration of Suhosin Extension, an attacker can define a cookie, in order to generate a buffer overflow, leading to a denial of service and possibly to code execution.
Severity: 2/4
Creation date: 19/01/2012
IMPACTED PRODUCTS
PHP
DESCRIPTION OF THE VULNERABILITY
The Suhosin extension for PHP is for example used to check parameters, and to encrypt cookies.
When the cookies encryption (suhosin.cookie.encrypt) is enabled, the suhosin_encrypt_single_cookie() function encrypts the cookie sent by the PHP code. However, if the cookie contains a null (’\0’) character, the length of an array is incorrectly computed, and a buffer overflow occurs.
In order to setup an attack:
suhosin.cookie.encrypt has to be set (this is not the default
case), and
suhosin.multiheader has to be set (this is not the default
case), and
suhosin.*.disallow_nul has to be unset (this is not the default
case), and
the attacker has to be able to inject a cookie in the PHP code,
for example via: header("Set-Cookie:" +
cookie_controlled_by_the_attacker);
In a special configuration of Suhosin Extension and with a special PHP code, an attacker can therefore define a cookie, in order to generate a buffer overflow, leading to a denial of service and possibly to code execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
