PHP exploit found (CVE-2024-2961)

  • 🔧 Actively working on site again.
prollyanotherlurker

prollyanotherlurker

kiwifarms.net
Joined
Apr 1, 2024
I'm making this to be a psa more than anything. I didn't see a thread for updates about this kind of stuff here. Which I do think that might be a good idea, to turn this thread into maybe.


I dont know enough to get into this supper technically, but basically it's a really old bug, that someone finally found an exploit for. And anything running on php is vulnerable right now if they haven't been updated.

Idk if null uses php for this. But if so might be a good idea to update ASAP.
 
Last edited:
  • Informative
  • Like
  • Feels
Reactions: UERISIMILITUDO, Gog & Magog, Google.com and 12 others
Nobody should really worry about this affecting Xenforo, KF's PHP-based forum software. The exploit method doesn't seem to be public, so vulnerable servers just need to be patched ASAP before a troon tries to figure it out and break into Xenforo.

He can also disable the buggy encoding manually and fix it without having to upgrade.
 
  • Like
  • Informative
  • Thunk-Provoking
Reactions: UERISIMILITUDO, Gog & Magog, Lone MacReady II and 7 others
Creative Username said:
Nobody should really worry about this affecting Xenforo, KF's PHP-based forum software. The exploit method doesn't seem to be public, so vulnerable servers just need to be patched ASAP before a troon tries to figure it out and break into Xenforo.

He can also disable the buggy encoding manually and fix it without having to upgrade.
Click to expand...
good to know.

Its definitely best to be safe than sorry no matter what.
 
I read the CVE, and while it's a legit vulnerability, it looks pretty limited in scope. Here's the money shot.

"may overflow the output buffer passed to it by up to 4 bytes"

Emphasis mine. How much could you do, real world, with a 4 byte overflow? Somebody correct me if I'm wrong, but I'm guessing not much. Crash it, maybe. Dump an entire database, not so much.
 
  • Like
  • DRINK!
Reactions: UERISIMILITUDO, geckogoy and prollyanotherlurker
Lord of the Large Pants said:
I read the CVE, and while it's a legit vulnerability, it looks pretty limited in scope. Here's the money shot.

"may overflow the output buffer passed to it by up to 4 bytes"

Emphasis mine. How much could you do, real world, with a 4 byte overflow? Somebody correct me if I'm wrong, but I'm guessing not much. Crash it, maybe. Dump an entire database, not so much.
Click to expand...
The guy who discovered this said that specifically PHP can be completely overtaken somehow. Even if he's lying it's good to fix strange UB bugs like these because nobody knows when it will be used in exactly the right conditions that somehow makes RCE possible, like here.
 
  • Like
Reactions: prollyanotherlurker
Creative Username said:
The guy who discovered this said that specifically PHP can be completely overtaken somehow. Even if he's lying it's good to fix strange UB bugs like these because nobody knows when it will be used in exactly the right conditions that somehow makes RCE possible, like here.
Click to expand...
Weird. I'm just not finding much else about this. Everybody seems to rank it pretty low, and it looks that way to me as well. Maybe there's something I'm missing. And there's no reason NOT to patch it.

Still. Weird.
 
  • Like
Reactions: Gleen Japan and prollyanotherlurker
Lord of the Large Pants said:
Weird. I'm just not finding much else about this. Everybody seems to rank it pretty low, and it looks that way to me as well. Maybe there's something I'm missing. And there's no reason NOT to patch it.

Still. Weird.
Click to expand...
Yeah I looked it up yesterday as well. We'll only know more when the researcher who found this does his faggy presentation, I guess.

I still wonder why they left this one in for so long. Leaving in a buffer overrun is just asking for trouble. Like come on man.
 
  • Like
Reactions: prollyanotherlurker
Lord of the Large Pants said:
Weird. I'm just not finding much else about this. Everybody seems to rank it pretty low, and it looks that way to me as well. Maybe there's something I'm missing. And there's no reason NOT to patch it.
Click to expand...
What you're missing is that PHP is a fucking clusterfuck of bodges, so something that is a low-concern vuln elsewhere becomes a major issue. 4 bytes is probably enough to write a pointer, which can be to something malicious if you're clever enough.

What's curious is that all of the discussion about this has disappeared. There are lots of links to tweets discussing it, but they're all dead. The guy who originated the claim is allegedly going to reveal more information at a talk in a couple of weeks, but his original claims are gone.
 
  • Like
  • Thunk-Provoking
Reactions: Ann, UERISIMILITUDO, Judex Meus and 3 others
Yeah, I wish I knew enough about programming to comment more on the potential for it to cause issues.

Would be great to learn more about this stuff, but idk if I will ever find the time. At least right now, I'm lucky to get any free time at all. But this stuff seems like it could be useful to know just from a user standpoint.
 
prollyanotherlurker said:
Yeah, I wish I knew enough about programming to comment more on the potential for it to cause issues.

Would be great to learn more about this stuff, but idk if I will ever find the time. At least right now, I'm lucky to get any free time at all. But this stuff seems like it could be useful to know just from a user standpoint.
Click to expand...
This isn't programming, this is system administration.

Null said:
I run automatic upgrades for security patches
Click to expand...
Local competent sysadmin is a competent sysadmin and has automatic security updates enabled. Typical I&T posters shocked at the notion that updates can be automated.
 
  • Like
Reactions: Sperg Coalition, UERISIMILITUDO, prollyanotherlurker and 1 other person
teriyakiburns said:
What's curious is that all of the discussion about this has disappeared. There are lots of links to tweets discussing it, but they're all dead. The guy who originated the claim is allegedly going to reveal more information at a talk in a couple of weeks, but his original claims are gone.
Click to expand...
He gives off weird vibes like he wants to be known as the supreme overlord hackerman but also wants companies to hire him for infosec.

This is pretty much a nothingburger.
 
  • Like
  • Disagree
Reactions: UERISIMILITUDO, Creative Username and teriyakiburns
RACISM said:
Anyone using rolling release is a fucking clown, even on non-production servers.
Click to expand...
It's okay on desktops as long as you're always paying attention to any problems that may arise. You end up with somewhat newer software at the expense of your computer trying to kill itself every now and then when you update, which is a tradeoff that some are willing to make.
 
  • Like
  • Agree
Reactions: prollyanotherlurker and 419
Creative Username said:
It's okay on desktops as long as you're always paying attention to any problems that may arise. You end up with somewhat newer software at the expense of your computer trying to kill itself every now and then when you update, which is a tradeoff that some are willing to make.
Click to expand...
Believe me, running.rolling release linux distributions is not worth it: you will have a much better experience with a stable distribution with security updates instead.
 
  • Like
Reactions: prollyanotherlurker
Creative Username said:
This isn't programming, this is system administration.


Local competent sysadmin is a competent sysadmin and has automatic security updates enabled. Typical I&T posters shocked at the notion that updates can be automated.
Click to expand...
I assumed some knowledge of programming languages for something like this would be useful to be able to really tell what is happening past a the surface level.
 
  • Like
Reactions: UERISIMILITUDO
You must log in or register to reply here.
Back