FreeBSD : php -- memory_limit related vulnerability (dd7aa4f1-102f-11d9-8a8a-000c41e2cdad)
Medium Nessus Plugin ID 19143
SynopsisThe remote FreeBSD host is missing one or more security-related updates.
DescriptionStefan Esser of e-matters discovered a condition within PHP that may lead to remote execution of arbitrary code. The memory_limit facility is used to notify functions when memory contraints have been met.
Under certain conditions, the entry into this facility is able to interrupt functions such as zend_hash_init() at locations not suitable for interruption. The result would leave these functions in a vulnerable state.
An attacker that is able to trigger the memory_limit abort within zend_hash_init() and is additionally able to control the heap before the HashTable itself is allocated, is able to supply his own HashTable destructor pointer. [...]
All mentioned places outside of the extensions are quite easy to exploit, because the memory allocation up to those places is deterministic and quite static throughout different PHP versions.
Because the exploit itself consist of supplying an arbitrary destructor pointer this bug is exploitable on any platform.
SolutionUpdate the affected packages.