PHP 5.2.5 and prior : *printf() functions Integer Overflow

PHP 5.2.5 and prior : *printf() functions Integer Overflow SecurityAlert : 3759 CVE : 2008-1384 SecurityRisk : Low alert (About) Remote Exploit : No Local Exploit : Yes Exploit Given : No Credit : Maksymilian Arciemowicz Published : 20.03.2008 Affected Software :PHP 5.2.5 and prior-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1[PHP 5.2.5 and prior : *printf() functions Integer Overflow ]Author: Maksymilian Arciemowicz (cXIb8O3)SecurityReason.com and SecurityReason.plDate:- - Written: 01.03.2008- - Public: 20.03.2008SecurityReason ResearchSecurityAlert Id: 52CVE-2008-1384SecurityRisk: LowAffected Software: PHP 5.2.5 and priorAdvisory URL:http://securityreason.com/achievement_securityalert/52Vendor: http://www.php.net- --- 0.Description ---PHP is an HTML-embedded scripting language. Much of its syntax is borrowedfrom C, Java and Perl with a couple of unique PHP-specific features thrownin. The goal of the language is to allow web developers to writedynamically generated pages quickly.These functions all manipulate strings in various ways. Some morespecialized sections can be found in the regular expression and URLhandling sections.For information on how strings behave, especially with regard to usage ofsingle quotes, double quotes, and escape sequences, see the Strings entryin the Types section of the manual.- --- 1. *printf() functions Integer Overflow ---The main problem exists in formatted_print.c file.cxib# uname -aFreeBSD cxib.laptop 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52UTC 2008 root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386cxib# php -vPHP 5.2.5 (cli) (built: Mar 13 2008 21:34:01) (DEBUG)Copyright (c) 1997-2007 The PHP GroupZend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologiescxib# cat /www/printf.phpcxib# php /www/printf.phpSegmentation fault (core dumped)Good. Let's see to formatted_print.c file in php_sprintf_appendstring()function- ---formatted_print.c-start---inline static voidphp_sprintf_appendstring(char **buffer, int *pos, int *size, char *add,int min_width, int max_width, char padding,int alignment, int len, int neg, int expprec, int always_sign)- ---formatted_print.c-end---The main varible what we will see is "npad"- ---formatted_print.c-start---copy_len = (expprec ? MIN(max_width, len) : len);npad = min_width - copy_len;- ---formatted_print.c-end---good. npad is 2147483646- ---formatted_print.c-start---req_size = *pos + MAX(min_width, copy_len) + 1;- ---formatted_print.c-end---req_size overflow- ---formatted_print.c-start---if (req_size > *size) {while (req_size > *size) {*size *size) is False(alignment == ALIGN_RIGHT) is True so- ---formatted_print.c-start---while (npad-- > 0) {(*buffer)[(*pos)++] = padding;}- ---formatted_print.c-end---and finish. Let's debug it with gdb- --- Debug ---0x08295ba5 in php_sprintf_appendstring (buffer=0xbfbfd318, pos=0xbfbfd31c,size=0xbfbfd324, add=0x28f20404 'A' ...,min_width=2147483646, max_width=0, padding=65 'A', alignment=1, len=1,neg=0, expprec=0, always_sign=0)...0x290fff0c: 'A' ...0x290fffd4: 'A' 0x29100000: - --- Debug ---Script will alocated a lot of data to memory.Tested on:PHP 5.2.5cxib# uname -aFreeBSD cxib.laptop 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52UTC 2008 root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386andPHP 5.1.6someone@ultra ~ $ uname -aNetBSD ultra 3.0.1 NetBSD 3.0.1 (GENERIC) #0: Fri Jul 14 03:47:28 UTC 2006riz@b2.netbsd.org:/home/builds/ab/netbsd-3-0-1-RELEASE/sparc64/200607131826Z-obj/home/builds/ab/netbsd-3-0-1-RELEASE/src/sys/arch/sparc64/compile/GENERIC sparc64- --- 2. Exploit ---SecurityReason will not public official exploit for this issue.- --- 3. How to fix ---CVShttp://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1120&view=markup- --- 4. Greets ---sp3x Infospec p_e_a Chujwamwdupe schain and Stanislav Malyshev (Patch)- --- 5. Contact ---Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]Email: cxib [at] securityreason [dot] comGPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg [NEW KEY]GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg.old [OLDKEY]http://securityreason.comhttp://securityreason.pl-----BEGIN PGP SIGNATURE-----Version: GnuPG v2.0.4 (FreeBSD)iD8DBQFH4px5W1OhNJH6DMURAmHUAJ4hUxGFzSo8vqCH5QmR17uL5G4HdACfSFiIw6hfbKzpzFcipScHzuATSME==suIH-----END PGP SIGNATURE-----