Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16275
HistoryMar 06, 2007 - 12:00 a.m.

MOPB-13-2007:PHP 4 Ovrimos Extension Multiple Vulnerabilities

2007-03-0600:00:00
vulners.com
11
JSON

Summary

The Ovrimos extension is an external contributed extension for the Ovrimos SQL Server, which is a client/server, transactional RDBMS combined with Web capabilities and fast transactions.

While looking at the code it was discovered that does not use resources to keep track of connections and internal data structures, but uses direct memory pointers. This is very unsafe and allows direct memory access and code execution.

However the extension is very uncommon and the normal user will have problems compiling it, because the Ovrimos SQL Server development seems to have stopped and the site disappeared.
Affected versions

Affected is PHP <4.4.5
Detailed information

The following code is an example for how the Ovrimos extension is written

PHP_FUNCTION(ovrimos_longreadlen)
{
pval *arg1, *arg2;
PSTATEMENT stmt;

if &#40;getParameters&#40;ht, 2, &amp;arg1, &amp;arg2&#41; == FAILURE&#41; {
    WRONG_PARAM_COUNT;
}
convert_to_long&#40;arg1&#41;;
convert_to_long&#40;arg2&#41;;

stmt = &#40;PSTATEMENT&#41; Z_LVAL_P&#40;arg1&#41;;

stmt-&gt;longreadlen = Z_LVAL_P&#40;arg2&#41;;
RETURN_TRUE;

}

In this example the first parameter is directly taken as a memory pointer to a STATEMENT structure. And then the value of the second argument is written into the longreadlen field of that structure. This of course allows writting any value to any memory address which usually can be exploited to execute arbitrary code.

Consider this only one of multiple different ways to execute code. Other attack vectors might use ovrimos_close() to call efree() on arbitrary memory addresses which also can lead to code execution.
Proof of concept, exploit or instructions to reproduce

To write any value to any memory address through the Ovrimos extension it is enough to the following code.

<?php
$address = 0xbfbfbfbf /* - sizeof SQLS */;
$value = 0xcccccccc;
ovrimos_longreadlen($address, $value);
?>

Notes

Because the code of the Ovrimos extension is completely broken our recommendation was to unbundle it from the PHP source. The number of users is assumed very low but this protects everyone from activating it by mistake.

We are aware that the impact of this issue is very low, but even low impact vulnerabilities belong into a audit report.

JSON