1

I found an overflow situation in php5.3.10.

Probably it's not 'something new', but if I can understand this, it will help me to find this kind of bug faster in the future.

What can I do to check how/what/where the exploitation occurs?

Steps I've already done are:

  • I've got php5.3.10 on virtual machine installed
  • I run code.php (and here is the sigsegv-situation)
  • I can do 'bt', or 'where' in gdb /usr/bin/php5

... what can/should I do next?

D.W.
  • 98,420
  • 30
  • 267
  • 572
testing
  • 11
  • 1

1 Answers1

4

Compile the php with debugging symbols enabled, run it under valgrind, and see if you can trigger the overflow. Valgrind will give detailed information about the overflow and where it occurs in the source code.

Generating a backtrace via gdb should also help you diagnose the issue.

See also Best way to triage crashes found via fuzzing, on Linux?.

Community
  • 1
D.W.
  • 98,420
  • 30
  • 267
  • 572
  • Wow, this is very good answer, thanks D.W. Can You tell me more about, how can I compile it with debugging symbols (I suppose that I should add to Makefile '-g' - correct me if I'm wrong please). Also any tip for valgrind usage? I've read about this program, but newer used it before to exploit developing. Once again, big thanks! :) – testing Nov 05 '12 at 07:36
  • UPDATE: ok, i've installed it with -g symbols, and I started valgrind with -v --leak-check=full --show-reachable=yes --log-file=valgrind.%p parameters (one of the manuals said that will be good for start). Now I have a few lines to check... if you would like to help me more, feel free to ask. it will be very usefull ;) – testing Nov 05 '12 at 08:10
  • 1
    Yup, that's right, you add `-g` to CFLAGS. (Hopefully the executable doesn't get stripped at some point later.) Some applications come with a "build with debug symbols" option in their Makefile; others require you to do it manually. You won't need `--leak-check` or `--show-reachable`, but they won't do any harm. Now, look through the valgrind warnings (near the end of the log, probably). Odds are you may see a `segv` or an `Invalid write` at the end; that may be your warning. It -- or the gdb backtrace -- should help pinpoint the line of code where the overflow occurred. – D.W. Nov 05 '12 at 11:02
  • D.W. Excellent answer again! Thank you very much. Indeed this two params (--leak-check and --show-reachable) helps me with identifying this (kind of) bug. And as on friend of mine said: this bug is not exploitable. Honestly - I don't know how far is it true, but seems to be, if he said so ;) Anyway, if You want to check it, let me know (could be privately) and I can share this information with You. If you're using valgrind and you want to teach me a little let me know. I will be very glad to get some knowledge from someone with practice:) Anyway, once again very big thanks D.W.! :) – testing Nov 05 '12 at 12:18