Vigil@nce - Suhosin PHP Extension: buffer overflow via cookie
February 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
In a special configuration of Suhosin Extension, an attacker can
define a cookie, in order to generate a buffer overflow, leading
to a denial of service and possibly to code execution.
Severity: 2/4
Creation date: 19/01/2012
IMPACTED PRODUCTS
– PHP
DESCRIPTION OF THE VULNERABILITY
The Suhosin extension for PHP is for example used to check
parameters, and to encrypt cookies.
When the cookies encryption (suhosin.cookie.encrypt) is enabled,
the suhosin_encrypt_single_cookie() function encrypts the cookie
sent by the PHP code. However, if the cookie contains a null
(’\0’) character, the length of an array is incorrectly computed,
and a buffer overflow occurs.
In order to setup an attack:
– suhosin.cookie.encrypt has to be set (this is not the default
case), and
– suhosin.multiheader has to be set (this is not the default
case), and
– suhosin.*.disallow_nul has to be unset (this is not the default
case), and
– the attacker has to be able to inject a cookie in the PHP code,
for example via: header("Set-Cookie:" +
cookie_controlled_by_the_attacker);
In a special configuration of Suhosin Extension and with a special
PHP code, an attacker can therefore define a cookie, in order to
generate a buffer overflow, leading to a denial of service and
possibly to code execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Suhosin-PHP-Extension-buffer-overflow-via-cookie-11309