Ubuntu 10.04 LTS
wget https://github.com/mudongliang/source-packages/raw/master/CVE-2007-1825/php-4.4.4.tar.gz
tar -xvf php-4.4.4.tar.gz
cd php-4.4.4
./configure --with-imap
make
./sapi/cli/php poc.php
MOPB-40-2007:PHP imap_mail_compose() Boundary Stack Buffer Overflow Vulnerability
PHP Imap_Mail_Compose() Function Buffer Overflow Vulnerability
PHP 5.1.6 - 'Imap_Mail_Compose()' Remote Buffer Overflow
The imap_mail_compose() function constructs multipart emails in a fixed size stackbuffer called tmp.
PHP_FUNCTION(imap_mail_compose)
{
...
char tmp[8 * MAILTMPLEN], *mystring=NULL, *t=NULL, *tempstring=NULL;
When a multipart message is created it first reads the BOUNDARY from the input parameters and simply copies it with a sprintf call into the stack buffer without any size check.
if (bod && bod->type == TYPEMULTIPART) {
/* first body part */
part = bod->nested.part;
/* find cookie */
for (param = bod->parameter; param && !cookie; param = param->next) {
if (!strcmp (param->attribute, "BOUNDARY")) {
cookie = param->value;
}
}
/* yucky default */
if (!cookie) {
cookie = "-";
}
/* for each part */
do {
t=tmp;
/* build cookie */
sprintf (t, "--%s%s", cookie, CRLF);
It should be obvious that this allows overflowing the buffer.