Eldar Marcussen: August 2009 Archives

Looking to the future with ewts

|
The recent DeleGate robot.txt User-Agent String Handling Remote Overflow Vulnerability is a perfect example of the type of vulnerabilities that I hope the Evil Website Testing Suite will eventually be able to expose. This particular vulnerability would not be detected with the current version of ewts and writing a robots.txt fuzzer isn't on the top of my todo list, but it is on the list. I just saw the vulnerability release and was happy to see that these type of vulnerabilities do get some exposure.
Honestly, I expected this to be somewhat gracefully handled;

justanotherhacker:~$ cat crash.php
<?php
include('crash.php');
?>
justanotherhacker:~$ php crash.php
Segmentation fault


The backtrace is;
justanotherhacker:~$ gdb php
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(no debugging symbols found)
(gdb) run crash.php
Starting program: /usr/bin/php crash.php
(no debugging symbols found)
<snip>
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
(no debugging symbols found)
(no debugging symbols found)
[New Thread 0xb780e6d0 (LWP 9508)]
(no debugging symbols found)
(no debugging symbols found)

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb780e6d0 (LWP 9508)]
0x082874fb in virtual_file_ex ()
(gdb) bt
#0 0x082874fb in virtual_file_ex ()
#1 0x0828fcff in expand_filepath ()
#2 0x082a686b in _php_stream_fopen ()
#3 0x082a6e63 in _php_stream_fopen_with_path ()
#4 0x082a6f83 in ?? ()
#5 0x09a007ec in ?? ()
#6 0x08357b15 in ?? ()
#7 0x08502620 in ?? ()
#8 0xbf09135c in ?? ()
#9 0x00000085 in ?? ()
#10 0x00000001 in ?? ()
#11 0x00000000 in ?? ()

It doesn't appear to be anything more then a potential dos condition to me, but I could be wrong.
No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.