=== Vulnerability ===
PHP 5.3.3 (Possible All versions) ibase_gen_id() off-by-one overflow
=== Author ===
cb
=== Description ===
User-supplied variable "generator" copied to 128 byte buffer "query"
size of query variable. So
its cause off-by-one overflow. You can see [1] snprintf copy statement
to "query" variable.
/* {{{ proto int ibase_gen_id(string generator [, int increment [,
resource link_identifier ]])
Increments the named generator and returns its new value */
PHP_FUNCTION(ibase_gen_id)
{
zval *link = NULL;
char query[128], *generator;
int gen_len;
long inc = 1;
ibase_db_link *ib_link;
ibase_trans *trans = NULL;
XSQLDA out_sqlda;
ISC_INT64 result;
RESET_ERRMSG;
if (FAILURE == zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC,
"s|lr", &generator, &gen_len,
&inc, &link)) {
RETURN_FALSE;
}
PHP_IBASE_LINK_TRANS(link, ib_link, trans);
[1] snprintf(query, sizeof(query), "SELECT GEN_ID(%s,%ld) FROM
rdb$database", generator, inc);
...
}
=== Patch ===
Replace [1] with [2].
--- [1] snprintf(query, sizeof(query), "SELECT GEN_ID(%s,%ld) FROM
rdb$database", generator, inc);
+++ [2] snprintf(query, sizeof(query) - 1 "SELECT GEN_ID(%s,%ld)
FROM rdb$database", generator, inc);
===========================================================================
Download:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14678.zip (ibase_gen_id_poc.zip)
