PHP’s php_mysqlnd_ok_read() trusts network data which can result in a heap information leak.
Affected versions
Affected is PHP 5.3 <= 5.3.2
Credits
The vulnerability was discovered by Stefan Esser while auditing the new Mysqlnd PHP extension.
Detailed information
The new Mysqlnd extension handles communication with mysql servers and implements the mysql protocol in the file mysqlnd_wireprotocol.c. While auditing this file several vulnerabilities were discovered. One of them is inside the php_mysqlnd_ok_read() function.
if (packet->header.size > (size_t) (p - buf) && (i = php_mysqlnd_net_field_length(&p))) {
packet->message = mnd_pestrndup((char *)p, MIN(i, buf_len - (p - begin)), FALSE);
packet->message_len = i;
} else {
packet->message = NULL;
}
The code above reads the message length from the network buffer and copies the message into a newly allocated message buffer. This copy operation is performed in a secure way because it is ensured that only available bytes in the buffer are copied. However the message_len field is wrongly set to the network supplied value. This can result in information leaks in all functions handling the message and message_len information from the packet struct.
Proof of concept, exploit or instructions to reproduce
Month of PHP Security does not provide a POC for this vulnerability.
Notes
This vulnerability can be fixed by correctly checking the network supplied data.
