In June 2024, a new vulnerability, CVE-2024-8932, was disclosed in PHP’s ldap_escape() function. If you’re running PHP 8.1 (before 8.1.31), 8.2 (before 8.2.26) or 8.3 (before 8.3.14) on a 32-bit system, you could be at risk. By passing overly long strings, it’s possible to cause integer overflows which lead to out-of-bounds writes—crashes and potentially remote code execution.
This article walks you through what happened, how you can test for it, and how to protect your applications.
The Vulnerability: Integer Overflow Explained
The bug is in PHP’s ldap_escape() function, used to safely encode values for usage with LDAP queries.
On 32-bit systems, the function miscalculates buffer sizes for very large input strings. When a long string is fed to the function, the calculation of the output buffer wraps around (integer overflow), causing PHP to write outside the buffer’s boundaries (out-of-bounds write).
Out-of-bounds writes are dangerous: they might merely crash your program, or in some serious cases, allow attackers to execute arbitrary code by corrupting memory.
8.3.x before 8.3.14
Only 32-bit builds are vulnerable. Most production servers are 64-bit—however, 32-bit is still in use in embedded and legacy environments.
Technical Details
Let’s see why the overflow happens with a simplified example.
Here’s the vulnerable bit in C from the PHP source
size_t maxlen = input_len * 3 + 1;
char *result = emalloc(maxlen);
If input_len is very large (think: 1.5 GB, which is x60000000 bytes), on 32-bit this calculation overflows size_t (max 4GB).
maxlen = x60000000 * 3 + 1 = x120000001 (48,000,000,001, overflows to x20000001, 536,870,913)
The buffer is way too small! Later, writing more bytes than allocated leads to memory corruption.
*On 64-bit systems, size_t is big enough to avoid this.*
Here is a PHP proof of concept (POC) illustrating an out-of-bounds write scenario
<?php
// Only works on 32-bit PHP!
$bigstr = str_repeat('A', x60000000); // ~1.5GB
ldap_escape($bigstr, null, LDAP_ESCAPE_FILTER);
?>
When run on a 32-bit PHP build, this can crash PHP with a segmentation fault or, depending on your environment, could be leveraged further.
Official Reference Links
- PHP Security changelog 8.1.31
- PHP Security changelog 8.2.26
- PHP Security changelog 8.3.14
- NVD CVE-2024-8932 entry
- Upstream fix (GitHub commit)
Denial of Service (DoS): PHP process may crash.
- Worse (Rare): If attacker can control input size and content, possible memory corruption with code execution.
This is worst when using ldap_escape() with attacker-supplied input sizes (e.g., APIs passing form data directly).
PHP writes out-of-bounds, leading to a crash and potential memory manipulation.
*Note: actual remote code execution may require chaining other vulnerabilities or a very specific environment.*
`php
echo PHP_INT_SIZE; // 4 means 32-bit, 8 means 64-bit
PHP 8.3.14+
This is the definitive fix—the overflow is patched.
2. Filter Input Lengths
If upgrade is not possible, make absolutely sure no user-supplied string passed to ldap_escape() exceeds reasonable lengths (e.g., never accept 1GB+ input).
3. Move Off 32-bit
Whenever possible, use 64-bit PHP builds. Most modern servers are 64-bit already.
Conclusion
CVE-2024-8932 shows why unchecked input and legacy environments can still cause major security headaches in 2024. If you rely on PHP’s LDAP functions, check your stack and apply updates as soon as possible.
PHP Changelog:
- PHP 8.1.31 changelog
- PHP 8.2.26 changelog
- PHP 8.3.14 changelog
- CVE-2024-8932 NVD page
- Upstream fix commit
> Stay safe, update promptly, and never underestimate integer overflows!
Timeline
Published on: 11/22/2024 06:15:20 UTC