JordyzomerH1:504761Internet Bug Bounty: phar_tar_writeheaders_int() buffer overflow
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.01 Low
EPSS
Percentile
81.3%
A buffer overflow has been found in the phar_tar_writeheaders_int() function.
it does a strncpy to header->linkname from entry->link with the size of entry->link.
As you can see in https://github.com/php/php-src/blob/master/ext/phar/tar.h#L66 , header->linkname is a char of the size 100. Once entry->link contains a value that’s bigger than 100 it will overflow the _tar_header structure.
This can be fixed by setting the size argument of strncpy to sizeof(header->linkname) for example:
strncpy(header.linkname, entry->link, strlen(header->linkname);
This has been fixed in the following references:
https://github.com/php/php-src/commit/071e18c6971c4cf64297378b30b945a1b85d682a
http://git.php.net/?p=php-src.git;a=commit;h=e0f5d62bd6690169998474b62f92a8c5ddf0e699
https://bugs.php.net/bug.php?id=77586&edit=2
Kind Regards,
Jordy Zomer
Impact
An attacker could overflow the buffer resulting in either a crash (DoS), EOP or RCE.
Related
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.01 Low
EPSS
Percentile
81.3%