Month Of PHP Bugs

March marks the begining of the MOPB or Month of PHP Bugs. It is the fourth in the series of "Month of" bug releases. Started by HD Moore with his MOBB or Month of Browser Bugs we have seen many other security experts follow suit. The bugs released during the MOPB are diffrent than your average PHP bugs. The bugs are not in web applications but in the PHP core interpreter itself. This presents a major problem to the security of many servers because applications that were once thought secure are now wide open to attack if they implement the vulnerable code in their code base. One such example is phpBB. The bug that effects phpBB is known as the unseralize() bug. This bug is a buffer overflow that if exploited correctly will result in arbitrary code execution. PhpBB (and many other applications) use the unserialize() function in their code when dealing with cookies. This means that if an attacker supplies a malicous cookie to the vulnerable phpBB instalation the attacker can then overflow the buffer allocated for the serialized data and potentially execute his own code inside the apache process for that request. Recently a group of hackers released an exploit for this vulnerability just 5 days after the initial bug was disclosed. The bug builds the 3 megabyte cookie using a trick to slip passed the apache request limitations. Then it uses a "Heap Spray" method to seed the heap with the attackers code. The exploit then forces apache to brute force through the address space until the desired code is run. This exploit is probably one of the most advanced web application exploits ever created. It can be found here: http://metasploit.com/svn/framework3/trunk/modules/exploits/multi/php/php_unserialize_zval_phpbb2.rb