MOPS-2010-059: PHP php_mysqlnd_auth_write() Stack Buffer Overflow Vulnerability

May 31st, 2010

PHP’s php_mysqlnd_auth_write() does not check user supplied values which can result in a stack based buffer overflow.

Affected versions

Affected is PHP 5.3 <= 5.3.2

Credits

The vulnerability was discovered by Stefan Esser while auditing the new Mysqlnd PHP extension.

Detailed information

The new Mysqlnd extension handles communication with mysql servers and implements the mysql protocol in the file mysqlnd_wireprotocol.c. While auditing this file several vulnerabilities were discovered. One of them is inside the php_mysqlnd_auth_write() function.

memset(p, 0, 23); /* filler */
p+= 23;

if (!packet->send_half_packet) {
    len = strlen(packet->user);
    memcpy(p, packet->user, len);
    ...

The code above is executed when a connection with the mysql server is established and the auth packet is created on client side. The auth packet is created without any kind of security check. Therefore an overflong username or database name in a mysql_connect() or mysqli_connect() call will result in a stack based buffer overflow. In case of recent gcc versions the possible buffer overflow through the user name will be made impossible by the compilers security features. However the database name will allow to overflow the buffer in this case.

Proof of concept, exploit or instructions to reproduce

Month of PHP Security does not provide a POC for this vulnerability.

Notes

This vulnerability can be fixed by correctly length checking user input before copying it into a stack based buffer.




blog comments powered by Disqus