Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 May 2015 16:20:15 +0200
From: Andrea Palazzo <andrea.palazzo@...el.it>
To: Stanislav Malyshev <smalyshev@...il.com>
CC: oss-security@...ts.openwall.com, security@....net
Subject: Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based
 memory corruption

Hi again!

My point is: once you get to have a corrupted zval, there are tons of 
functions that would result in memory errors if working on it.
A str_repeat() with user-supplied arguments is not so common at all, but 
let's say you have it (e.g. 
http://phpcrossref.com/xref/jpegmeta/EXIF.php.html, 
https://code.google.com/p/zimbra-api-php/, 
http://phpcrossref.com/xref/jpegmeta/XML.php.html) it is really likely 
that it would end up processed by one of these functions (string 
concatenation, for example).

$makernote  <http://phpcrossref.com/xref/jpegmeta/_variables/makernote.html>  .=str_repeat  <http://phpcrossref.com/xref/jpegmeta/_functions/str_repeat.html>("\x00",($tiff_data  <http://phpcrossref.com/xref/jpegmeta/_variables/tiff_data.html>[ 'Makernote_Tag' ][ 'Offset' ] - 8 ) );



On 19/05/2015 00:43, Stanislav Malyshev wrote:
> Hi!
>
>> About code execution, I haven't had the chance to focus on actual
>> exploitation yet (I surely will in the near future), but as you can see
>> from the original report (https://bugs.php.net/bug.php?id=69403), I
>> pointed out several cases in which working on a so-crafted zval would
>> lead to invalid memory access (with user controlled values as well), so
>> I am pretty confident it is achievable.
> These examples all seem to require specific code (like
> 'md5(str_repeat("a", 4294967294-1));') to be run. The probability that
> applications would contain this specific code with str_repeat argument
> controlled by remote user seems to be pretty low. However, if you can
> show exploiting this on a code of an application that is not specially
> crafted to demonstrate this issue, or at least resembles code that is
> likely to be deployed in a real application, I will gladly change my
> opinion.
>


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ