OSVDB ID: 32770

Title: PHP ZVAL Structure Reference Counter Local Overflow

Info

Disclosure
Mar 01, 2007

Discovery
Unknown

Dates

Exploit
Mar 01, 2007

Solution
Unknown

Description

 PHP contains a flaw that may allow a malicious local user to bypass restrictions enforced by disable_functions, open_basedir, and safe_mode, or to launch direct local root exploits against the affected system. The issue is due to the possibility of a PHP application that is run in PHP 4 overflowing the zend_ushort refcount variable in _zval_struct through the creation of a large number of references for a specific variable, resulting in a double destruction of the underlying variable. It is possible that the flaw may allow a local attacker to execute arbitrary code within the process executing PHP resulting in a loss of integrity.

Classification

 Location: Local Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified

Solution

 Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Manually change the size of the reference counter in your own PHP. The problem with this approach is that you will have to recompile all your PHP extensions and will not be able to use closed source PHP extensions.

Products

The PHP Group

PHP

 4.4.6
4.4.5
4.4.4
4.4.3
4.4.2
4.4.1
4.4.0
4.3.x
4.2.x
4.1.x
4.0.x
4.0, Release Candidate 2
4.0, Release Candidate 1
4.0 Beta 4
4.0 Beta 3
4.0 Beta 2
4.0 Beta 1

References

Credit
  • Stefan Esser - sesserhardened-php.net - www.hardened-php.net


Direct URL: http://osvdb.org/36218