PHP 7 is due. 0. 0 format string vulnerability with the EIP hijack analysis-vulnerability warning-the black bar safety net

2016-10-13T00:00:00
ID MYHACK58:62201680126
Type myhack58
Reporter zzz66686
Modified 2016-10-13T00:00:00

Description

PHP 7 is due. 0. 0 this format string vulnerability is 1 5 year 1 2 On On exploit-db. When found, the author in Beijing to the North-East of a information security company to work, then busy, and failed to delve into it. In recent days inadvertently saw this vulnerability and found this vulnerability a CVE number: CVE-2 0 1 5-8 6 1 7, so an in-depth look at this vulnerability here for the format string vulnerability is some brief analysis, and discuss the use of the vulnerability to hijack the EIP of the potential method, for readers reference. 1. Introduction In PHP there are two common format string functions, respectively, is sppintf()and vsppintf (), which correspond to the sprintf()function and vsprintf()function, both the function Declaration is: PHPAPI int spprintf( char pbuf, size_t max_len, const char *format, ...); PHPAPI int vspprintf(char pbuf, size_t max_len, const char format, va_list ap); Through its function declarations can be seen, the spprintf()receives a variable number of parameters, and vspprintf()only receives 4 parameters. Although these two functions of the internal implementation principle is similar, but the author does not intend to on this point for in-depth discussion, such as there are interested readers, you can take a look at the programmer's self-cultivation. About the format string vulnerability the analysis of the articles generally focused on the sprintf()function, and in this article you'll need to focus on the discussion about the vsprintf()function, that is focused on the following in PHP vspprintf()function. 2. Vulnerability analysis Herein the study of the vspprintf()function in zend_throw_error()function, when the trigger the vulnerability, zend_throw_error()function by zend_throw_or_error()function call. zend_throw_or_error()function is not very long, so copying its code is as follows: static void zend_throw_or_error(int fetch_type, zend_class_entry exception_ce, const char format, ...) { va_list va; char message = NULL; va_start(va, format); zend_vspprintf(&message, 0, format, va); if (fetch_type & ZEND_FETCH_CLASS_EXCEPTION) { zend_throw_error(exception_ce, message); //vul_func //zend_throw_error(exception_ce, "%s", message); patched in the subsequent version } else { zend_error(E_ERROR, "%s", message); } efree(message); va_end(va); } In the above code snippet, the trigger the vulnerability function call has been red pen marked out, since the calls have one less parameter lead to trigger a format string vulnerability. The vulnerability of patches also with a red pen in the code marked clear. About the format string vulnerability, and not a lot of need to analyze the description of the place, the following starting, respectively, from windows and linux the two environments discussed in exploit the vulnerability to hijack the EIP method. 3. windows environment analysis In order to reduce the in the win7 environment under analysis difficulty, the author for the time being the ASLR turned off. If the plan to achieve a stable EIP hijack, you may also need by other means, to obtain some of the module base address, of course, that PHP 7 is due. 0. 0 format string vulnerability itself can also leak a part of the useful data memory. In the windows version of PHP, the vulnerability function is located in the php7ts. dll Dynamic Link Library, the configuration of the php page as follows: $name="%n%n"; $name::doSomething(); ?& gt; By the debugger start the PHP to parse the php page, do to a program crash, through the stack traceback can be found vspprintf()function call the function is a derived function, also can be directly in the export table found in this function, in the function of the head under the Breakpoints, re-executing, find the opening to trigger the vulnerability of a particular call. In this case, observation of the stack in the data: ! In the figure above, the top of the stack is a function of the return address, i.e., returns to zend_throw_error()function, the next is vspprintf()function of four parameters. Wherein 0441E890 is the va_list type of the parameter. It should be noted that, if it is the traditional spprintf()function to format string overflow, you only need to constantly utilize the%x is incremented on the stack the number of parameters, and finally use%n to achieve cover the function return address can be effectively achieved hijacking EIP. But here is vspprintf()function that accepts only 4 parameters, so if you intend to continue hijacking the EIP, you need to examine the va_list to, va_list in different environments, the definition is slightly different, here we can roughly define the va_list type as follows:

define va_list void*

That va_list is a pointer to the variable number of parameters of the pointer. In vspprintf()function, the%x processing is direct access to the va_list to point to the content, as shown below: !

[1] [2] [3] next