Lucene search

佚名MYHACK58:62201784340

HistoryMar 15, 2017 - 12:00 a.m.

CVE-2016-3078 PHP ZipArchive Integer Overflow analysis-vulnerability warning-the black bar safety net

2017-03-1500:00:00

佚名

www.myhack58.com

110

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.344 Low

EPSS

Percentile

96.7%

JSON

This vulnerability range is PHP 7.0.6 version before PHP 7. the x version. PHP source code can be here to,<https://github.com/php/php-src/>

PHP source code architecture

PHP source code of the core library is in the Zend directory. Responsible for the php script parsing, execution and other core functions.
TSRM directory is on your PHP multi thread library.
the ext directory is to implement various PHP extensions function code. Such as: ftp, ssl, xml, etc., also including this time mainly to the analysis of zip parsing function.

Vulnerability details

About CVE-2016-3078, in the community was sent: <http://seclists.org/bugtraq/2016/Apr/159>

The main problem is that when PHP on x86 machine to compile time, wherein the zend_ulong type will be compiled into different lengths.

! [](/Article/UploadPic/2017-3/201731511435426. png)

The above code comes from Zend/zend_long. h. You can see that if it is in the x64 environment to compile while zend_ulong is 64 bits in length; if it is x86 it is a 32-bit length. Then, in php_zip_get_from()function, it will put a 64-bit length is assigned to a zend_ulong type of the variable, the formation of integer overflow, and heap overflow, through the rational structure of the input can reach any address write.

The flow of execution

One can trigger the vulnerability in the simple php script as follows:

! [](/Article/UploadPic/2017-3/201731511435744. png)

In the php script, parse zip file, the first call to ZipArchive::open()to the zip file is read into memory. In the php source code in the corresponding code in the php_zip. c:

! [](/Article/UploadPic/2017-3/201731511438799. png)

Wherein, the open()initializes a _ze_zip_object structure of the body:

! [](/Article/UploadPic/2017-3/201731511438479. png)

Wherein za point to a zip structure, this structure is stored with the parsed zip file to the content-related stuff.

! [](/Article/UploadPic/2017-3/201731511438371. png)

Wherein the zip_source_t *src pointer to the structure with zip files in the data-related things.

! [](/Article/UploadPic/2017-3/201731511438196. png)

Wherein cb is a union structure, which put is in unzip the zip compressed package file when calling the callback function. In the open()function, this callback function will be initialized to the read_data()

! [](/Article/UploadPic/2017-3/201731511438788. png)

Then back to the php script. open()is completed, and then call the getFromIndex()or getFromName()to read the zip archive of specific file data. In the php source code, these two functions are direct calls to the php_zip_get_from()function, and this is the presence of the vulnerability function.

In php_zip_get_from()function, will first from the Executor Globals to pass parameters read out. Then will parse the zip file dirEntry corresponding to the file directory, and then update a zip_stat structure, storage result.

! [](/Article/UploadPic/2017-3/201731511438289. png)

Which size is uint64, corresponding to the zip Entry in the UncompressedSize. After the checks from the php script in the incoming parameter len is not less than 1, if it is it will take this size value assigned to len. Note that, here, len is the type zend_long it.

! [](/Article/UploadPic/2017-3/2017315114310785. png)

Then, call the zip_fopen_index()to parse the zip structure, then update the zip structure of the data. During parsing, this function will zip the file compression method do distinguish. Are encrypted and compressed, and store.

encrypted is encrypted, the required password; the compressed is compressed; the store is not compressed, directly store the original file data. And then will be in the original zip structure of the body above the re-packaged one of the zip structure of the body, and the new structure of the body of the callback function registered to the corresponding decryption, decompression, and crc check functions. And returns this new structure pointer.

Next, go back to php_zip_get_from()function. zend_string_alloc()function is to trigger the integer overflow of points. Then the following zip_fread()function is the stack overflow point.

! [](/Article/UploadPic/2017-3/2017315114312819. png)

In zend_string()will be the first of len to do a boundary alignment, will in the original len size coupled with 0x14 and then mask 0xFFFFFFFC it. The attack can put UncompressedSize set to 0xFFFFFFFE, and then will be assigned a 0x10 size of the heap.

! [](/Article/UploadPic/2017-3/2017315114312823. png)

Here, the call to the pemalloc allocated heap block. It is a php internal implementation of a Memory Allocator. The source code in zend_alloc. c, concrete does not expand. Inside it on the small heap block allocation is optimized, all the small piles of blocks are continuously distributed in one or more contiguous pages of memory, each of the free small heap blocks with a one-way linked list in the form of organized. First free small pile of the block of the address will be placed in the global chunk head free_slot.

[1] [2] next