PHP 5.6.4 out of bounds read crashes php-cgi

2015.01.05
Credit: Salvatore
Risk: Medium
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Description: ------------ I cloned the php git repo on 12/16/2014 and built from source using the afl-gcc compiler: CC=/path/to/afl-gcc ./configure AFL_HARDEN=1 make PHP 7.0.0-dev (cgi-fcgi) (built: Dec 16 2014 14:07:45) Copyright (c) 1997-2014 The PHP Group Zend Engine v3.0.0-dev, Copyright (c) 1998-2014 Zend Technologies While fuzzing the php-cgi binary, I found that a one byte file containing # and no newline causes php-cgi to segfault. printf "#" >crashme.php ./php-cgi crashme.php Segmentation fault I talked with the author of afl-fuzz to make sure there wasn't some pointer weirdness happening as a result of compiling this with afl-gcc and he says it looks like an out of bounds read, probably not exploitable, but might could disclose server memory, but anyone that can upload php scripts can do far worse. I have not tried exploiting this via a browser with XSS or anything fancy yet, just passing this via the command line in a Debian VM. I can provide a core dump or any other information that is needed. Expected result: ---------------- php-cgi should fail gracefully, not segfault. Actual result: -------------- ==61759== Invalid read of size 1 ==61759== at 0x4575B0: main (cgi_main.c:2460) ==61759== Address 0x4024000 is not stack'd, malloc'd or (recently) free'd ==61759== ==61759== ==61759== Process terminating with default action of signal 11 (SIGSEGV) ==61759== Access not within mapped region at address 0x4024000 ==61759== at 0x4575B0: main (cgi_main.c:2460) ==61759== If you believe this happened as a result of a stack ==61759== overflow in your program's main thread (unlikely but ==61759== possible), you can try to increase the size of the ==61759== main thread stack using the --main-stacksize= flag. ==61759== The main thread stack size used in this run was 8388608. Segmentation fault --- a/sapi/cgi/cgi_main.c +++ b/sapi/cgi/cgi_main.c @@ -2429,14 +2429,17 @@ consult the installation file that came with this distribution, or visit \n\ int i = 1; c = file_handle.handle.stream.mmap.buf[i++]; - while (c != '\n' && c != '\r' && c != EOF) { + while (c != '\n' && c != '\r' && i < file_handle.handle.stream.mmap.len) { c = file_handle.handle.stream.mmap.buf[i++]; } if (c == '\r') { - if (file_handle.handle.stream.mmap.buf[i] == '\n') { + if (i < file_handle.handle.stream.mmap.len && file_handle.handle.stream.mmap.buf[i] == '\n') { i++; } } + if(i > file_handle.handle.stream.mmap.len) { + i = file_handle.handle.stream.mmap.len; + } file_handle.handle.stream.mmap.buf += i; file_handle.handle.stream.mmap.len -= i; }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top