Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:29642 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 2184 invoked by uid 1010); 21 May 2007 20:49:41 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 2169 invoked from network); 21 May 2007 20:49:41 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 May 2007 20:49:41 -0000 Authentication-Results: pb1.pair.com header.from=ceo@l-i-e.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=ceo@l-i-e.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain l-i-e.com from 67.139.134.202 cause and error) X-PHP-List-Original-Sender: ceo@l-i-e.com X-Host-Fingerprint: 67.139.134.202 o2.hostbaby.com FreeBSD 4.7-5.2 (or MacOS X 10.2-10.3) (2) Received: from [67.139.134.202] ([67.139.134.202:4190] helo=o2.hostbaby.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 77/B1-19484-4E502564 for ; Mon, 21 May 2007 16:49:41 -0400 Received: (qmail 46207 invoked by uid 98); 21 May 2007 20:49:41 -0000 Received: from 127.0.0.1 by o2.hostbaby.com (envelope-from , uid 1013) with qmail-scanner-2.01 (clamdscan: 0.88.7/3273. Clear:RC:1(127.0.0.1):. Processed in 0.081582 secs); 21 May 2007 20:49:41 -0000 Received: from localhost (HELO l-i-e.com) (127.0.0.1) by localhost with SMTP; 21 May 2007 20:49:41 -0000 Received: from 216.230.84.67 (SquirrelMail authenticated user ceo@l-i-e.com) by www.l-i-e.com with HTTP; Mon, 21 May 2007 15:49:41 -0500 (CDT) Message-ID: <39310.216.230.84.67.1179780581.squirrel@www.l-i-e.com> In-Reply-To: <46515417.3030904@hardened-php.net> References: <465022BE.1020905@hardened-php.net> <7d5a202f0705201415s71982fd2jb61b8bffbb7ba6de@mail.gmail.com> <46513546.5000303@zend.com> <7d5a202f0705202303s2ff4d0cdg1157c1e245c3c2e4@mail.gmail.com> <46513745.7030701@zend.com> <000001c79b71$543e0970$fcba1c50$@com> <46513E93.5000902@hardened-php.net> <465140BE.8050502@zend.com> <4651454B.4080000@hardened-php.net> <465149FE.4070100@zend.com> <46515417.3030904@hardened-php.net> Date: Mon, 21 May 2007 15:49:41 -0500 (CDT) To: "Stefan Esser" Cc: "Alexey Zakhlestin" , "PHP internals" Reply-To: ceo@l-i-e.com User-Agent: Hostbaby Webmail MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: [PHP-DEV] Dismantling the lies... From: ceo@l-i-e.com ("Richard Lynch") On Mon, May 21, 2007 3:11 am, Stefan Esser wrote: > For example to get around non-executable HEAP situation you first need > to > poke the right offsets in memory to "reenable" the dl() function (NOT > possible > with plain PHP code), find some writeable diskspace, dump a shared > library > there and load it. From there you can execute whatever kernel exploit > you want, > to get for example out of the chroot, to disable SELINUX... So... If I'm understanding this correctly, (and that's definitely debatable) there seems to be an awfully large "hole" there of being able to poke random bits of RAM. The rest of it seems to me like something your average Bad Guy can do: find writable diskspace dump shared lib there dl() it Game Over I mean, jeez, *I* could write code to do that... Except for that poking values into random bits of RAM part... So, really, if a Bad Guy has access to poke random values into your RAM, is PHP even relevant to this hack?... Seems like they'd be able to just load their .so file and JMP to it, without PHP being involved at all. Or just poke in a few bits to alter some oft-used library, and wait a few seconds. I'm *NOT* saying that it's not a good idea to fix the bugs in PHP and provide for defense in depth if appropriate. I'm just asking if, perhaps, the random poke into RAM doesn't make any of the other steps kind of moot anyway... It seems to me like you have a pre-requisite for the hack that makes PHP issues non-issues. PS For the record: I dunno why you left, but the MOPB ombudsman-like approach of a security audit is a GOOD THING, imho, so I would like to see that work continue to YOPB :-) [Y == Year] Even if not all the issues are seen the same way you see them, and are not fixed the way you want them fixed, it's ALWAYS a good idea to review the security and at least consider alternative viewpoints and potential solutions. PPS If you're posting from @hardened-php.net, but miffed about the inability to use the name, the sniping about that seems a bit "off" to the naive reader... I think you should have been allowed to keep using the name, but there it is. Maybe re-subscribe under Suhosin address? :-) :-) :-) -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So?