* Charles Fol: > Hello all, > > Although very late, here is a follow up explaining the impact of the > vulnerability. > > Provided that you can force an application to convert a partially > controlled buffer to ISO-2022-CN-EXT, you get an > overflow of 1 to 3 bytes whose value you don't control. > > This can be triggered in at least two ways in PHP: > > - Through direct calls to iconv() > - Through the use of PHP filters (i.e. using a "file read" vulnerability) > > Due to the way PHP's heap is built, you can use such a memory > corruption to alter part of a free list pointer, > which can in turn give you an arbitrary write primitive in the > program's memory. > > With this bug, any person that has a file read vulnerability with a > controlled prefix on a PHP application has RCE.
Out of curiosity, why would PHP translate a file to ISO-2022-CN-EXT while reading it? It's not even an ASCII-transparent charset. Thanks, Florian
