PHP ImageCopyResized/ImageCopyResampled Integer Overflow

2007.09.08
Risk: Medium
Local: Yes
Remote: Yes
CWE: N/A


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

PHP ImageCopyResized/ImageCopyResampled Integer Overflow Affected Products: <= PHP 5.2.3 Authors: Mattias Bengtsson <mattias@secweb.se> Philip Olausson <po@secweb.se> Reported: 2007-06-05 Released: 2007-08-30 CVE: CVE-2007-3996 Issue: Two integer overflows exists in PHP's implementation of libgd. Remote exploitation of this overflow may under some circumstances allow execution of arbitrary code. Description: PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. libgd is used for dynamic creation of images. Details: The overflow is located in the function gdImageCopyResized(). Which are used within the PHP code and can also be reached from PHP using imagecopyresized() or imagecopyresampled(). ... stx = (int *) gdMalloc (sizeof (int) * srcW); sty = (int *) gdMalloc (sizeof (int) * srcH); ... for (i = 0; (i < srcW); i++) { stx[i] = dstW * (i+1) / srcW - dstW * i / srcW ; } for (i = 0; (i < srcH); i++) { sty[i] = dstH * (i+1) / srcH - dstH * i / srcH ; } ... Passing a high value of srcW or srcH results in a integer overflow when allocating the buffer for stx and sty. The for-loops occuring after the allocation will then try to write a big amout of data that will result in a crash or possible execution of arbitrary code. If a web application use this function for resizing images that could be uploaded remotely, the overflow can be triggered by a specially crafted image file. Proof Of Concepts: <?php imagecopyresized(imagecreatetruecolor(0x7fffffff, 120), imagecreatetruecolor(120, 120), 0, 0, 0, 0, 0x7fffffff, 120, 120, 120); ?> Impact: Due to the fact that this vulnerability can be triggered remotely the impact should be considered high. Solution: Upgrade to PHP 5.2.4


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top