header-logo
Suggest Exploit
vendor:
PHP
by:
cb
7,5
CVSS
HIGH
Off-by-one overflow
119
CWE
Product Name: PHP
Affected Version From: 5.3.3
Affected Version To: All versions
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2010

PHP 5.3.3 (Possible All versions) ibase_gen_id() off-by-one overflow

User-supplied variable 'generator' is copied to a 128 byte buffer 'query' which causes an off-by-one overflow. The vulnerable code is the snprintf statement which copies the 'generator' variable to the 'query' variable.

Mitigation:

Replace the vulnerable snprintf statement with a statement that limits the size of the 'query' variable to 127 bytes.
Source

Exploit-DB raw data:

=== Vulnerability ===
PHP 5.3.3 (Possible All versions) ibase_gen_id() off-by-one overflow

=== Author ===
cb

=== Description ===
User-supplied variable "generator" copied to 128 byte buffer "query"
size of query variable. So
its cause off-by-one overflow. You can see [1] snprintf copy statement
to "query" variable.

/* {{{ proto int ibase_gen_id(string generator [, int increment [,
resource link_identifier ]])
   Increments the named generator and returns its new value */
PHP_FUNCTION(ibase_gen_id)
{
	zval *link = NULL;
	char query[128], *generator;
	int gen_len;
	long inc = 1;
	ibase_db_link *ib_link;
	ibase_trans *trans = NULL;
	XSQLDA out_sqlda;
	ISC_INT64 result;

	RESET_ERRMSG;

	if (FAILURE == zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC,
"s|lr", &generator, &gen_len,
			&inc, &link)) {
		RETURN_FALSE;
	}

	PHP_IBASE_LINK_TRANS(link, ib_link, trans);
	
	[1] snprintf(query, sizeof(query), "SELECT GEN_ID(%s,%ld) FROM
rdb$database", generator, inc);
...
}	

=== Patch ===
	Replace [1] with [2].
	
	--- [1] snprintf(query, sizeof(query), "SELECT GEN_ID(%s,%ld) FROM
rdb$database", generator, inc);
	+++ [2] snprintf(query, sizeof(query) - 1  "SELECT GEN_ID(%s,%ld)
FROM rdb$database", generator, inc);

===========================================================================
Download:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14678.zip (ibase_gen_id_poc.zip)

Navigation

Suggest Exploit

Services By CQR