Yesterday a vulnerability was discovered within the GLIBC library on Linux showing how calls into the gethostbyname*() functions.

This vulnerability seems to affect all versions of PHP compiled against affected versions of the glibc library.

Details of the glibc vulnerability can be found at http://www.openwall.com/lists/oss-security/2015/01/27/9 which is explicit in it’s detail of the issue.

When looking through the PHP code it is apparent that in particular the gethostbyname function defined in ext/standard/dns.c is vulnerable as it details the function in the following manner:

This in turn calls into php_gethostbyname(hostname) which is defined as:

Note the call defined as “hp = gethostbyname(name)”. This shows direct user input to the vulnerable glibc method.

This issue also affects the function gethostbynamel which has the same defined call for hp.

Following the examples given in the CVE for the glibc issue, executing the following command against PHP triggers the same segmentation fault described.

Testing has shown that when triggered remotely this affects PHP running as an apache module and kills the apache process along with it leaving the affected memory vulnerable to exploit.

Leave a Comment