PHP’s php_mysqlnd_auth_write() does not check user supplied values which can result in a stack based buffer overflow.
Affected versions
Affected is PHP 5.3 <= 5.3.2
Credits
The vulnerability was discovered by Stefan Esser while auditing the new Mysqlnd PHP extension.
Detailed information
The new Mysqlnd extension handles communication with mysql servers and implements the mysql protocol in the file mysqlnd_wireprotocol.c. While auditing this file several vulnerabilities were discovered. One of them is inside the php_mysqlnd_auth_write() function.
p+= 23;
if (!packet->send_half_packet) {
len = strlen(packet->user);
memcpy(p, packet->user, len);
...
The code above is executed when a connection with the mysql server is established and the auth packet is created on client side. The auth packet is created without any kind of security check. Therefore an overflong username or database name in a mysql_connect() or mysqli_connect() call will result in a stack based buffer overflow. In case of recent gcc versions the possible buffer overflow through the user name will be made impossible by the compilers security features. However the database name will allow to overflow the buffer in this case.
Proof of concept, exploit or instructions to reproduce
Month of PHP Security does not provide a POC for this vulnerability.
Notes
This vulnerability can be fixed by correctly length checking user input before copying it into a stack based buffer.
