Buffer Overflow vulnerability in PHP (June 19,2015)


Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP allows remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow CVE-2015-4022.

The vulnerability is exploited by the attacker as follows :
The target server connects to the attacker’s FTP server when the attacker visits the vulnerable page. Target server sends LIST command to attacker’s FTP server.

Attacker’s FTP server sends malicious response to the target.

As seen in the code,if the response(which is stored in the tempfile) is more than 2^32 then loops at line 1839 and 1841 will overflow. The function ftp_genlist() then uses these overflown variables to calculate the size and allocate a heap buffer. The entire contents of temporary file are then copied to the undersized heap buffer, resulting in a heap buffer overflow at line 1862. This could lead to PHP application crash or arbitrary code execution.

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signature to protect their customers.

  • IPS 4902: Server Application Shellcode Exploit 20
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.