On Mon, May 21, 2007 3:11 am, Stefan Esser wrote: > For example to get around non-executable HEAP situation you first need > to > poke the right offsets in memory to "reenable" the dl() function (NOT > possible > with plain PHP code), find some writeable diskspace, dump a shared > library > there and load it. From there you can execute whatever kernel exploit > you want, > to get for example out of the chroot, to disable SELINUX...
So... If I'm understanding this correctly, (and that's definitely debatable) there seems to be an awfully large "hole" there of being able to poke random bits of RAM. The rest of it seems to me like something your average Bad Guy can do: find writable diskspace dump shared lib there dl() it Game Over I mean, jeez, *I* could write code to do that... Except for that poking values into random bits of RAM part... So, really, if a Bad Guy has access to poke random values into your RAM, is PHP even relevant to this hack?... Seems like they'd be able to just load their .so file and JMP to it, without PHP being involved at all. Or just poke in a few bits to alter some oft-used library, and wait a few seconds. I'm *NOT* saying that it's not a good idea to fix the bugs in PHP and provide for defense in depth if appropriate. I'm just asking if, perhaps, the random poke into RAM doesn't make any of the other steps kind of moot anyway... It seems to me like you have a pre-requisite for the hack that makes PHP issues non-issues. PS For the record: I dunno why you left, but the MOPB ombudsman-like approach of a security audit is a GOOD THING, imho, so I would like to see that work continue to YOPB :-) [Y == Year] Even if not all the issues are seen the same way you see them, and are not fixed the way you want them fixed, it's ALWAYS a good idea to review the security and at least consider alternative viewpoints and potential solutions. PPS If you're posting from @hardened-php.net, but miffed about the inability to use the name, the sniping about that seems a bit "off" to the naive reader... I think you should have been allowed to keep using the name, but there it is. Maybe re-subscribe under Suhosin address? :-) :-) :-) -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
