Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: bx2501.htm

PHP 5 *printf() - Integer Overflow



{securityreason.com}PHP 5 *printf() - Integer Overflow
{securityreason.com}PHP 5 *printf() - Integer Overflow



-----BEGIN PGP SIGNED MESSAGE-----=0D
Hash: SHA1=0D
=0D
[PHP 5.2.5 and prior : *printf() functions Integer Overflow ]=0D
=0D
Author: Maksymilian Arciemowicz (cXIb8O3)=0D
SecurityReason.com and SecurityReason.pl=0D
Date:=0D
- - Written: 01.03.2008=0D
- - Public: 20.03.2008=0D
=0D
SecurityReason Research=0D
SecurityAlert Id: 52=0D
=0D
CVE-2008-1384=0D
SecurityRisk: Low=0D
=0D
Affected Software: PHP 5.2.5 and prior=0D
Advisory URL:=0D
http://securityreason.com/achievement_securityalert/52=0D 
Vendor: http://www.php.net=0D 
=0D
- --- 0.Description ---=0D
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.=0D
=0D
These functions all manipulate strings in various ways. Some more specialized sections can be found in the regular expression and URL handling sections.=0D
=0D
For information on how strings behave, especially with regard to usage of single quotes, double quotes, and escape sequences, see the Strings entry in the Types section of the manual.=0D
=0D
- --- 1. *printf() functions Integer Overflow ---=0D
The main problem exists in formatted_print.c file.=0D
=0D
cxib# uname -a=0D
FreeBSD cxib.laptop 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386=0D 
cxib# php -v=0D
PHP 5.2.5 (cli) (built: Mar 13 2008 21:34:01) (DEBUG)=0D
Copyright (c) 1997-2007 The PHP Group=0D
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies=0D
cxib# cat /www/printf.php=0D
=0D
cxib# php /www/printf.php=0D
Segmentation fault (core dumped)=0D
=0D
Good. Let's see to formatted_print.c file in php_sprintf_appendstring() function =0D
=0D
- ---formatted_print.c-start---=0D
inline static void=0D
php_sprintf_appendstring(char **buffer, int *pos, int *size, char *add,=0D
						   int min_width, int max_width, char padding,=0D
						   int alignment, int len, int neg, int expprec, int always_sign)=0D
- ---formatted_print.c-end---=0D
=0D
The main varible what we will see is "npad"=0D
=0D
=0D
- ---formatted_print.c-start---=0D
	copy_len = (expprec ? MIN(max_width, len) : len);=0D
	npad = min_width - copy_len;=0D
- ---formatted_print.c-end---=0D
=0D
good. npad is 2147483646=0D
=0D
=0D
- ---formatted_print.c-start---=0D
	req_size = *pos + MAX(min_width, copy_len) + 1;=0D
- ---formatted_print.c-end---=0D
=0D
	req_size overflow=0D
=0D
- ---formatted_print.c-start---=0D
	if (req_size > *size) {=0D
		while (req_size > *size) {=0D
			*size <<= 1;=0D
		}=0D
		PRINTF_DEBUG(("sprintf ereallocing buffer to %d bytes\n", *size));=0D
		*buffer = erealloc(*buffer, *size);=0D
	}=0D
- ---formatted_print.c-end---=0D
=0D
(req_size > *size) is False=0D
=0D
(alignment == ALIGN_RIGHT) is True so=0D
=0D
- ---formatted_print.c-start---=0D
		while (npad-- > 0) {=0D
			(*buffer)[(*pos)++] = padding;=0D
		}=0D
- ---formatted_print.c-end---=0D
=0D
and finish. Let's debug it with gdb=0D
=0D
- --- Debug ---=0D
0x08295ba5 in php_sprintf_appendstring (buffer=0xbfbfd318, pos=0xbfbfd31c, =0D
    size=0xbfbfd324, add=0x28f20404 'A' ..., =0D
    min_width=2147483646, max_width=0, padding=65 'A', alignment=1, len=1, =0D
    neg=0, expprec=0, always_sign=0)=0D
=0D
...=0D
=0D
0x290fff0c:      'A' ...=0D
0x290fffd4:      'A'  =0D
0x29100000:      =0D
- --- Debug ---=0D
=0D
Script will alocated a lot of data to memory.=0D
=0D
Tested on:=0D
PHP 5.2.5=0D
cxib# uname -a=0D
FreeBSD cxib.laptop 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386=0D 
=0D
and =0D
PHP 5.1.6=0D
someone@ultra ~ $ uname -a=0D
NetBSD ultra 3.0.1 NetBSD 3.0.1 (GENERIC) #0: Fri Jul 14 03:47:28 UTC 2006  =0D
riz@b2.netbsd.org:/home/builds/ab/netbsd-3-0-1-RELEASE/sparc64/200607131826Z-obj/home/builds/ab/netbsd-3-0-1-RELEASE/src/sys/arch/sparc64/compile/GENERIC sparc64=0D 
=0D
- --- 2. Exploit ---=0D
SecurityReason will not public official exploit for this issue. =0D
=0D
- --- 3. How to fix ---=0D
CVS=0D
=0D
http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1120&view=markup=0D 
=0D
- --- 4. Greets ---=0D
sp3x Infospec p_e_a Chujwamwdupe schain and Stanislav Malyshev (Patch)=0D
=0D
- --- 5. Contact ---=0D
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]=0D
Email: cxib [at] securityreason [dot] com=0D
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg [NEW KEY]=0D 
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg.old [OLD KEY]=0D 
http://securityreason.com=0D 
http://securityreason.pl=0D 
=0D
-----BEGIN PGP SIGNATURE-----=0D
Version: GnuPG v2.0.4 (FreeBSD)=0D
=0D
iD8DBQFH4px5W1OhNJH6DMURAmHUAJ4hUxGFzSo8vqCH5QmR17uL5G4HdACfSFiI=0D
w6hfbKzpzFcipScHzuATSME==0D
=suIH=0D
-----END PGP SIGNATURE-----=0D


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH