Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 27 May 2024 14:13:51 +0200
From: Florian Weimer <>
To: Erik Auerswald <>
Subject: Re: The GNU C Library security advisories update for
 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix
 out-of-bound writes when writing escape sequence

* Erik Auerswald:

> Hi,
> On Mon, May 27, 2024 at 12:31:46PM +0200, Florian Weimer wrote:
>> >
>> > Although very late, here is a follow up explaining the impact of the
>> > vulnerability.
>> >
>> > Provided that you can force an application to convert a partially
>> > controlled buffer to ISO-2022-CN-EXT, you get an
>> > overflow of 1 to 3 bytes whose value you don't control.
>> >
>> > This can be triggered in at least two ways in PHP:
>> >
>> > - Through direct calls to iconv()
>> > - Through the use of PHP filters (i.e. using a "file read" vulnerability)
>> >
>> > Due to the way PHP's heap is built, you can use such a memory
>> > corruption to alter part of a free list pointer,
>> > which can in turn give you an arbitrary write primitive in the
>> > program's memory.
>> >
>> > With this bug, any person that has a file read vulnerability with a
>> > controlled prefix on a PHP application has RCE.
>> Out of curiosity, why would PHP translate a file to ISO-2022-CN-EXT
>> while reading it?  It's not even an ASCII-transparent charset.
> According to <>, PHP
> can be told to do so via "php://filter/…", a default behavior of PHP,
> it seems (I have just skimmed that page and do not know any details).

Oh, right:

| Obviously, base64-encoding is not the only thing you can do. Many
| filters are available.
| […]
|  » convert.iconv.X.Y, which converts charset from X to Y
| Let's take a look at the last filter: convert.iconv.X.Y. Say that I need
| to convert my file from UTF8 to UTF16. I can use:
|   php://filter/convert.iconv.UTF-8.UTF-16/resource=/etc/passwd

Unfortunately, that exposes all installed iconv converters in all
directions (unlike glibc's ,ccs= parameter for fopen), once there is an
arbitrary URL read injection vulnerability in a PHP application.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.