PHP 5.3.3 – ‘ibase_gen_id()’ Off-by-One Overflow

• Exploit Database
• 31 阅读

• 作者： Canberk BOLAT
  日期： 2010-08-18
• 类别：

  • dos
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/14678/

• === Vulnerability ===
  PHP 5.3.3 (Possible All versions) ibase_gen_id() off-by-one overflow
  
  === Author ===
  cb
  
  === Description ===
  User-supplied variable "generator" copied to 128 byte buffer "query"
  size of query variable. So
  its cause off-by-one overflow. You can see [1] snprintf copy statement
  to "query" variable.
  
  /* {{{ proto int ibase_gen_id(string generator [, int increment [,
  resource link_identifier ]])
   Increments the named generator and returns its new value */
  PHP_FUNCTION(ibase_gen_id)
  {
  	zval *link = NULL;
  	char query[128], *generator;
  	int gen_len;
  	long inc = 1;
  	ibase_db_link *ib_link;
  	ibase_trans *trans = NULL;
  	XSQLDA out_sqlda;
  	ISC_INT64 result;
  
  	RESET_ERRMSG;
  
  	if (FAILURE == zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC,
  "s|lr", &generator, &gen_len,
  			&inc, &link)) {
  		RETURN_FALSE;
  	}
  
  	PHP_IBASE_LINK_TRANS(link, ib_link, trans);
  	
  	[1] snprintf(query, sizeof(query), "SELECT GEN_ID(%s,%ld) FROM
  rdb$database", generator, inc);
  ...
  }	
  
  === Patch ===
  	Replace [1] with [2].
  	
  	--- [1] snprintf(query, sizeof(query), "SELECT GEN_ID(%s,%ld) FROM
  rdb$database", generator, inc);
  	+++ [2] snprintf(query, sizeof(query) - 1"SELECT GEN_ID(%s,%ld)
  FROM rdb$database", generator, inc);
  
  ===========================================================================
  Download:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14678.zip (ibase_gen_id_poc.zip)