J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: PHP memory_limit Remote Code Execution Vulnerability

Severity: CRITICAL

Description:

PHP modules compiled with memory_limit support are affected by a remote code-execution vulnerability. This issue occurs because the PHP module fails to properly handle memory_limit request termination.

The problem is reported to present itself when malicious users cause the PHP module to terminate due to the configured memory_limit being reached while critical code is executing.

An attacker can leverage this issue by exploiting the Apache ap_escape_html Memory Allocation Denial Of Service Vulnerability (BID 10619). The attacker can cause premature termination during critical code execution. Note that although the Apache vulnerability is the only known attack vector, there may be other attack vectors that are currently unknown.

To successfully exploit this issue, the attacker must have control over the heap; this is quite likely because user-supplied data causes the configured memory_limit to be reached.

The problem arises because there are various critical code sections within the PHP module that allocate and initialize executable objects on the heap. If the execution is interrupted after allocation has occurred but before initialization has taken place, then an attacker with control over the heap can specify the destructor method pointer. When the memory_limit is reached, PHP aborts and the destructor is executed.

There are many critical code execution segments within the PHP module: sections where Zend HashTables are allocated and initialized, (e.g. within file upload code), when the variables_order is configured such that environment variables denoted by an 'E' are registered last, session-handling code when a session is registered, as well as the register_globals implementation. Other segments might also be present.

Adding to the severity of this issue, memory allocation is reportedly static and quite easily determined, facilitating reliable exploits. Also, the only dynamically sized memory segment within the heap memory of the module is the environment variable array that, if not absent due to the use of a php.ini configuration file, can be determined by servers with open 'phpinfo()' scripts or simply through brute-force techniques.

This issue is reportedly exploitable on all platforms supporting Apache and the PHP module.

Attackers can exploit this issue to execute arbitrary code on an affected computer within the context of the vulnerable application, facilitating unauthorized access.

Affected Products:

  • Apple Mac OS X 10.0.0
  • Apple Mac OS X 10.0.03
  • Apple Mac OS X 10.0.1
  • Apple Mac OS X 10.0.2
  • Apple Mac OS X 10.0.3
  • Apple Mac OS X 10.0.4
  • Apple Mac OS X 10.1.0
  • Apple Mac OS X 10.1.0
  • Apple Mac OS X 10.1.1
  • Apple Mac OS X 10.1.2
  • Apple Mac OS X 10.1.3
  • Apple Mac OS X 10.1.4
  • Apple Mac OS X 10.1.5
  • Apple Mac OS X 10.2.0
  • Apple Mac OS X 10.2.1
  • Apple Mac OS X 10.2.2
  • Apple Mac OS X 10.2.3
  • Apple Mac OS X 10.2.4
  • Apple Mac OS X 10.2.5
  • Apple Mac OS X 10.2.6
  • Apple Mac OS X 10.2.7
  • Apple Mac OS X 10.2.8
  • Apple Mac OS X 10.3.0
  • Apple Mac OS X 10.3.1
  • Apple Mac OS X 10.3.2
  • Apple Mac OS X 10.3.3
  • Apple Mac OS X 10.3.4
  • Apple Mac OS X 10.3.5
  • Apple Mac OS X 10.3.6
  • Apple Mac OS X 10.3.7
  • Apple Mac OS X Server 10.0.0
  • Apple Mac OS X Server 10.1.0
  • Apple Mac OS X Server 10.1.1
  • Apple Mac OS X Server 10.1.2
  • Apple Mac OS X Server 10.1.3
  • Apple Mac OS X Server 10.1.4
  • Apple Mac OS X Server 10.1.5
  • Apple Mac OS X Server 10.2.0
  • Apple Mac OS X Server 10.2.1
  • Apple Mac OS X Server 10.2.2
  • Apple Mac OS X Server 10.2.3
  • Apple Mac OS X Server 10.2.4
  • Apple Mac OS X Server 10.2.5
  • Apple Mac OS X Server 10.2.6
  • Apple Mac OS X Server 10.2.7
  • Apple Mac OS X Server 10.2.8
  • Apple Mac OS X Server 10.3.0
  • Apple Mac OS X Server 10.3.1
  • Apple Mac OS X Server 10.3.2
  • Apple Mac OS X Server 10.3.3
  • Apple Mac OS X Server 10.3.4
  • Apple Mac OS X Server 10.3.5
  • Apple Mac OS X Server 10.3.6
  • Apple Mac OS X Server 10.3.7
  • Avaya Converged Communications Server 2.0.0
  • Avaya Integrated Management
  • Avaya S8300 R2.0.0
  • Avaya S8300 R2.0.1
  • Avaya S8500 R2.0.0
  • Avaya S8500 R2.0.1
  • Avaya S8700 R2.0.0
  • Avaya S8700 R2.0.1
  • Caldera OpenLinux Server 3.1.0
  • Caldera OpenLinux Server 3.1.1
  • Caldera OpenLinux Workstation 3.1.0
  • Caldera OpenLinux Workstation 3.1.1
  • Compaq Compaq Secure Web Server PHP 1.0.0
  • Conectiva Linux 5.0.0
  • Conectiva Linux 5.1.0
  • Conectiva Linux 6.0.0
  • Conectiva Linux 7.0.0
  • Conectiva Linux ecommerce
  • Conectiva Linux graficas
  • Debian Linux 2.2.0
  • Debian Linux 2.2.0 68k
  • Debian Linux 2.2.0 IA-32
  • Debian Linux 2.2.0 alpha
  • Debian Linux 2.2.0 arm
  • Debian Linux 2.2.0 powerpc
  • Debian Linux 2.2.0 sparc
  • Debian Linux 3.0.0
  • Debian Linux 3.0.0 alpha
  • Debian Linux 3.0.0 arm
  • Debian Linux 3.0.0 hppa
  • Debian Linux 3.0.0 ia-32
  • Debian Linux 3.0.0 ia-64
  • Debian Linux 3.0.0 m68k
  • Debian Linux 3.0.0 mips
  • Debian Linux 3.0.0 mipsel
  • Debian Linux 3.0.0 ppc
  • Debian Linux 3.0.0 s/390
  • Debian Linux 3.0.0 sparc
  • EnGarde Secure Linux 1.0.1
  • Gentoo Linux 1.2.0
  • Gentoo Linux 1.4.0 _rc1
  • Guardian Digital Engarde Secure Linux 1.0.1
  • HP Compaq Secure Web Server for OpenVMS 1.2.0
  • HP Compaq Secure Web Server for OpenVMS 1.3.0
  • HP Compaq Secure Web Server for OpenVMS 2.0.0
  • HP Compaq Secure Web Server for OpenVMS 2.0.0 PHP
  • HP HP-UX B.11.00
  • HP HP-UX B.11.11
  • HP HP-UX B.11.11
  • HP HP-UX B.11.22
  • HP HP-UX B.11.23
  • HP OpenVMS Secure Web Server 7.2.0 -2
  • HP OpenVMS Secure Web Server 7.3.0
  • HP OpenVMS Secure Web Server 7.3.0 -1
  • HP OpenVMS Secure Web Server 7.3.0 -2
  • HP Secure OS software for Linux 1.0.0
  • MandrakeSoft Corporate Server 1.0.1
  • MandrakeSoft Corporate Server 2.1.0
  • MandrakeSoft Corporate Server 2.1.0 x86_64
  • MandrakeSoft Linux Mandrake 10.0.0
  • MandrakeSoft Linux Mandrake 10.0.0 amd64
  • MandrakeSoft Linux Mandrake 7.1.0
  • MandrakeSoft Linux Mandrake 7.2.0
  • MandrakeSoft Linux Mandrake 8.0.0
  • MandrakeSoft Linux Mandrake 8.0.0 ppc
  • MandrakeSoft Linux Mandrake 8.1.0
  • MandrakeSoft Linux Mandrake 8.1.0 ia64
  • MandrakeSoft Linux Mandrake 8.2.0
  • MandrakeSoft Linux Mandrake 8.2.0 ppc
  • MandrakeSoft Linux Mandrake 9.0.0
  • MandrakeSoft Linux Mandrake 9.1.0
  • MandrakeSoft Linux Mandrake 9.1.0 ppc
  • MandrakeSoft Linux Mandrake 9.2.0
  • MandrakeSoft Linux Mandrake 9.2.0 amd64
  • MandrakeSoft Multi Network Firewall 2.0.0
  • MandrakeSoft Single Network Firewall 7.2.0
  • OpenPKG OpenPKG 1.1.0
  • OpenPKG OpenPKG Current
  • PHP PHP 3.0.0.10
  • PHP PHP 3.0.0.11
  • PHP PHP 3.0.0.12
  • PHP PHP 3.0.0.13
  • PHP PHP 3.0.0.16
  • PHP PHP 3.0.00
  • PHP PHP 3.0.1
  • PHP PHP 3.0.10
  • PHP PHP 3.0.11
  • PHP PHP 3.0.12
  • PHP PHP 3.0.13
  • PHP PHP 3.0.14
  • PHP PHP 3.0.15
  • PHP PHP 3.0.16
  • PHP PHP 3.0.17
  • PHP PHP 3.0.18
  • PHP PHP 3.0.2
  • PHP PHP 3.0.3
  • PHP PHP 3.0.4
  • PHP PHP 3.0.5
  • PHP PHP 3.0.6
  • PHP PHP 3.0.7
  • PHP PHP 3.0.8
  • PHP PHP 3.0.9
  • PHP PHP 4.0.0 0
  • PHP PHP 4.0.1
  • PHP PHP 4.0.1 pl1
  • PHP PHP 4.0.1 pl2
  • PHP PHP 4.0.2
  • PHP PHP 4.0.3
  • PHP PHP 4.0.3 pl1
  • PHP PHP 4.0.4
  • PHP PHP 4.0.5
  • PHP PHP 4.0.6
  • PHP PHP 4.0.7
  • PHP PHP 4.0.7 RC1
  • PHP PHP 4.0.7 RC2
  • PHP PHP 4.0.7 RC3
  • PHP PHP 4.1.0 .0
  • PHP PHP 4.1.1
  • PHP PHP 4.1.2
  • PHP PHP 4.2.0 -dev
  • PHP PHP 4.2.0 .0
  • PHP PHP 4.2.1
  • PHP PHP 4.2.2
  • PHP PHP 4.2.3
  • PHP PHP 4.3.0
  • PHP PHP 4.3.1
  • PHP PHP 4.3.2
  • PHP PHP 4.3.3
  • PHP PHP 4.3.5
  • PHP PHP 4.3.6
  • PHP PHP 4.3.7
  • PHP PHP 5.0.0 candidate 1
  • PHP PHP 5.0.0 candidate 2
  • PHP PHP 5.0.0 candidate 3
  • RedHat Desktop 3.0.0
  • RedHat Enterprise Linux AS 3
  • RedHat Enterprise Linux ES 3
  • RedHat Enterprise Linux WS 3
  • RedHat Fedora Core1
  • RedHat Fedora Core2
  • RedHat Linux 6.2.0
  • RedHat Linux 6.2.0 alpha
  • RedHat Linux 6.2.0 i386
  • RedHat Linux 6.2.0 sparc
  • RedHat Linux 7.0.0
  • RedHat Linux 7.0.0 alpha
  • RedHat Linux 7.0.0 i386
  • RedHat Linux 7.1.0
  • RedHat Linux 7.1.0 alpha
  • RedHat Linux 7.1.0 i386
  • RedHat Linux 7.1.0 ia64
  • RedHat Linux 7.2.0
  • RedHat Linux 7.2.0 i386
  • RedHat Linux 7.2.0 ia64
  • RedHat Linux 7.3.0
  • RedHat Linux 7.3.0 i386
  • RedHat Linux 7.3.0 i686
  • RedHat Linux 8.0.0
  • RedHat Linux 8.0.0 i386
  • RedHat Linux 8.0.0 i686
  • RedHat Linux 9.0.0 i386
  • RedHat Stronghold 4.0.0
  • S.u.S.E. Linux 6.4.0
  • S.u.S.E. Linux 6.4.0 alpha
  • S.u.S.E. Linux 6.4.0 i386
  • S.u.S.E. Linux 6.4.0 ppc
  • S.u.S.E. Linux 7.0.0
  • S.u.S.E. Linux 7.0.0 alpha
  • S.u.S.E. Linux 7.0.0 i386
  • S.u.S.E. Linux 7.0.0 ppc
  • S.u.S.E. Linux 7.0.0 sparc
  • S.u.S.E. Linux 7.1.0
  • S.u.S.E. Linux 7.1.0 alpha
  • S.u.S.E. Linux 7.1.0 ppc
  • S.u.S.E. Linux 7.1.0 sparc
  • S.u.S.E. Linux 7.1.0 x86
  • S.u.S.E. Linux 7.2.0
  • S.u.S.E. Linux 7.2.0 i386
  • S.u.S.E. Linux 7.3.0
  • S.u.S.E. Linux 7.3.0 i386
  • S.u.S.E. Linux 7.3.0 ppc
  • S.u.S.E. Linux 7.3.0 sparc
  • S.u.S.E. Linux 8.0.0
  • S.u.S.E. Linux 8.0.0 i386
  • S.u.S.E. Linux 8.1.0
  • S.u.S.E. Linux Personal 8.2.0
  • S.u.S.E. Linux Personal 9.0.0
  • S.u.S.E. Linux Personal 9.0.0 x86_64
  • Slackware Linux 8.1.0
  • Sun 2800 Workgroup NTT/KOBE 2800WGJ-KOBE 0.0.0
  • Sun Cobalt Control Station 4100CS
  • Sun Cobalt Qube3 4000WG
  • Sun Cobalt Qube3 Japanese 4000WGJ
  • Sun Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ
  • Sun Cobalt Qube3 Japanese w/Caching 4010WGJ
  • Sun Cobalt Qube3 w/ Caching and RAID 4100WG
  • Sun Cobalt Qube3 w/Caching 4010WG
  • Sun Cobalt RaQ 550
  • Sun Cobalt RaQ XTR 3500R
  • Sun Cobalt RaQ XTR Japanese 3500R-ja
  • Sun Cobalt RaQ4 3001R
  • Sun Cobalt RaQ4 Japanese RAID 3100R-ja
  • Sun Cobalt RaQ4 RAID 3100R
  • Sun LX50
  • Trustix Secure Enterprise Linux 2.0.0
  • Trustix Secure Linux 1.1.0
  • Trustix Secure Linux 1.2.0
  • Trustix Secure Linux 1.5.0
  • Trustix Secure Linux 2.0.0
  • Trustix Secure Linux 2.1.0
  • Turbolinux Home
  • Turbolinux Turbolinux 10 F...
  • Turbolinux Turbolinux Desktop 10.0.0
  • Turbolinux Turbolinux Server 7.0.0
  • Turbolinux Turbolinux Server 8.0.0
  • Turbolinux Turbolinux Workstation 7.0.0
  • Turbolinux Turbolinux Workstation 8.0.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.