Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 15 Jan 2016 06:41:29 +1300
From: Emmanuel Law <emmanuel.law@...il.com>
To: cve-assign@...re.org, oss-security@...ts.openwall.com
Cc: security@....net
Subject: [CVE Request] Multiple PHP issues

1) Can we assign a CVE to PHP "Memory Read via gdImageRotateInterpolated
Array Index Out of Bounds":

Bug report: https://bugs.php.net/bug.php?id=70976
It is possible to read (almost) arbitrary memory.


2) Also CVE  request for PHP "Heap BufferOver Flow in escapeshell
functions":

Bug report: https://bugs.php.net/bug.php?d=71270
Patch:
https://github.com/php/php-src/commit/2871c70efaaaa0f102557a17c727fd4d5204dd4b

=====Copy and Paste of Original Bug Report ======

- There exist a heap-based buffer over flow that allows one to write a user
tainted data pass an allocated buffer. This vulnerability lies in the
following functions:

escapeshellarg
escapeshellcmd

- On a default php installation, the memory limit is set to 128MB and this
vulnerability is not triggerable. My analysis shows that this is
triggerable when memory limit is roughly > 1024mb. A quick search on github
shows that it's not uncommon to see code like "ini_set('memory_limit', -1);"


-I've created a POC that triggers the buffer over write with
0x414141414141.....

- A string of 1024mb is created and passed into escapeshellarg. "l"
contains the length of this string:

Breakpoint 2, php_escape_shell_arg (str=0x7fffad469028 'A' <repeats 200
times>...) at /home/elaw/php-7.0.0/ext/standard/exec.c:343
343             int x, y = 0, l = (int)strlen(str);

gdb-peda$ print l
$43 = 0x40000000            // 1024mb



-This length "l" is then passed into zend_string_alloc as "4 * l + 2" which
results in an integer overflow:

Temporary breakpoint 3, php_escape_shell_arg (str=0x7fffad000018 'A'
<repeats 200 times>...) at /home/elaw/php-7.0.1/ext/standard/exec.c:348
348             cmd = zend_string_alloc(4 * l + 2, 0); /* worst case */


gdb-peda$ print 4* l + 2
$44 = 0x2   //Overflow

- Stepping into zend_string_alloc to verify the integer overflow. Notice
len=0x2:
zend_string_alloc (persistent=0x0, len=0x2) at
/home/elaw/php-7.0.0/Zend/zend_string.h:121
121             zend_string *ret = (zend_string
*)pemalloc(ZEND_MM_ALIGNED_SIZE(_ZSTR_STRUCT_SIZE(len)), persistent);

- Lets confirm the overflow again in the allocated (zend_string *) cmd.
Notice cmd.len=0x2:
gdb-peda$ p *cmd
$52 = {
  gc = {
    refcount = 0x1,
    u = {
      v = {
        type = 0x6,
        flags = 0x0,
        gc_info = 0x0
      },
      type_info = 0x6
    }
  },
  h = 0x0,
  len = 0x2,
  val = "1"
}



- The loops then writes pass the allocated buffer in

258 for (x = 0, y = 0; x < l; x++) {
....
321       ZSTR_VAL(cmd)[y++] = str[x];



- Verifying the buffer overflow in
gdb-peda$ p (zend_string *)cmd.len
$9 = (zend_string *) 0x2
gdb-peda$ x/100b (zend_string *)cmd.val
0x1625a58:      0x27    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0x1625a60:      0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0x1625a68:      0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0x1625a70:      0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0x1625a78:      0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0x1625a80:      0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0x1625a88:      0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0x1625a90:      0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0x1625a98:      0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0x1625aa0:      0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0x1625aa8:      0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0x1625ab0:      0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0x1625ab8:      0x41    0x41    0x41    0x41


- The vulnerability for php_escape_shell_cmd is identical.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.