PHP "exif_process_IFD_TAG ()" remote Integer Overflow Vulnerability

Release date: 2011-12-05
Updated on: 2011-12-06

Affected Systems:
PHP 5.4.0beta2
Description:
--------------------------------------------------------------------------------
Bugtraq id: 50907
Cve id: CVE-2011-4566

PHP is a script language running on a computer. It is mainly used to process dynamic web pages, including command line interfaces or graphical user interface programs.

The PHP implementation vulnerability exists. In the 32-bit version, the function exif_process_IFD_TAG does not correctly check the value of offset_val. Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code in the affected Web server, this vulnerability may cause denial of service.

<* Source: flolechaud

Link: https://bugs.php.net/bug.php? Id = 60150
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

====
Exif. c: 2852:

Value_ptr = offset_base + offset_val;
If (offset_val + byte_count> IFDlength | value_ptr <dir_entry)
{
====

The check (offset_val + byte_count) is not safe:

(Gdb)
2852 value_ptr = offset_base + offset_val;
(Gdb)
2853 if (offset_val + byte_count> IFDlength | value_ptr <
Dir_entry ){
(Gdb)
2905 ImageInfo-> sections_found | = FOUND_ANY_TAG;
(Gdb) p/x offset_base
$1 = 0x5af564
(Gdb) p/x offset_val
$2 = 0xf20008bc
(Gdb) p/x value_ptr
$3 = 0xf25afe20
(Gdb) p/x offset_val
$4 = 0xf20008bc
(Gdb) p/x byte_count
$5 = 0xe000067
(Gdb) p/x IFDlength
$6 = 0x1586
(Gdb) p/x offset_val + byte_count
$7 = 0x923
(Gdb) p/x (int64_t) offset_val + byte_count
$8 = 0x100000923

 

$ CFLAGS = "-m32-g" CXXFLAGS = "-m32-g"./configure -- disable-all -- enable-exif
$ CFLAGS = "-m32-g" CXXFLAGS = "-m32-g" make

$ Php -- version
PHP 5.4.0beta1 (cli) (built: Oct 19 2011 21:15:00)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2011 Zend Technologies

 

Test script:
---------------
Florent $ cat run. php
<? Php

$ Exif = exif_read_data ($ argv [1]);

?>

Florent $ php run. php./sample.jpg

Expected result:
----------------
Warning or Error without bad pointer dereference.

Actual result:
--------------
(Gdb) r run. php./Sample.jpg
Starting program:/Users/florent/Downloads/php-5.4.0beta1/sapi/cli/php run. php
./Sample.jpg
Reading symbols for shared libraries ++ .......... done

Program received signal EXC_BAD_ACCESS, cocould not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xf25afe24
0x0008ba9c in php_strnlen (str = 0xf25afe24 <Address 0xf25afe24 out of bounds>,
Maxlen = 234881127) at exif. c: 296
296 if (str & maxlen & * str ){
(Gdb) bt
#0 0x0008ba9c in php_strnlen (str = 0xf25afe24 <Address 0xf25afe24 out
Bounds>, maxlen = 234881127) at exif. c: 296
#1 0x0008cf04 in exif_iif_add_value (image_info = 0xbfffee30, section_index = 7,
Name = 0xbfffe818 "DateTimeOriginal", tag = 36867, format = 2, length = 234881127,
Value = 0xf25afe24, effecla_intel = 0) at exif. c: 1699
#2 0x0008d284 in exif_iif_add_tag (image_info = 0xbfffee30, section_index = 7,
Name = 0xbfffe818 "DateTimeOriginal", tag = 36867, format = 2, length = 234881127,
Value = 0xf25afe24) at exif. c: 1803
#3 0x00090b56 in exif_process_IFD_TAG (ImageInfo = 0xbfffee30, dir_entry = 0x5af6a8
"\ 003? \ 002 ", offset_base = 0x5af568" II * ", IFDlength = 5510, displacement = 12,
Section_index = 7, ReadNextIFD = 1, tag_table = 0x4291a0) at exif. c: 3110
#4 0x00090d20 in exif_process_IFD_in_JPEG (ImageInfo = 0xbfffee30,
Dir_start = 0x5af66a "#", offset_base = 0x5af568 "II *", IFDlength = 5510,
Displacement = 12, section_index = 7) at exif. c: 3138
#5 0x00090ae3 in exif_process_IFD_TAG (ImageInfo = 0xbfffee30, dir_entry = 0x5af5ea
"I? \ 004 ", offset_base = 0x5af568" II * ", IFDlength = 5510, displacement = 12,
Section_index = 3, ReadNextIFD = 1, tag_table = 0x4291a0) at exif. c: 3101
#6 0x00090d20 in exif_process_IFD_in_JPEG (ImageInfo = 0xbfffee30,
Dir_start = 0x5af570 "\ f", offset_base = 0x5af568 "II *", IFDlength = 5510,
Displacement = 12, section_index = 3) at exif. c: 3138
#7 0x00091032 in exif_process_TIFF_in_JPEG (ImageInfo = 0xbfffee30,
CharBuf = 0x5af568 "II *", length = 5510, displacement = 12) at exif. c: 3215
#8 0x0009114a in exif_process_APP1 (ImageInfo = 0xbfffee30, CharBuf = 0x5af560
"\ 025? Exif ", length = 5518, displacement = 4) at exif. c: 3240
#9 0x00091792 in exif_scan_JPEG_header (ImageInfo = 0xbfffee30) at exif. c: 3385
#10 0x000927e4 in exif_scan_FILE_header (ImageInfo = 0xbfffee30) at exif. c: 3763
#11 0x000931c8 in exif_read_file (ImageInfo = 0xbfffee30, FileName = 0x5aa3c4
"./Sample.jpg", read_thumbnail = 0, read_all = 0) at exif. c: 3902
#12 0x00093412 in zif_exif_read_data (ht = 1, return_value = 0x5ab254,
Return_value_ptr = 0x0, this_ptr = 0x0, return_value_used = 1) at exif. c: 3955
#13 0x00265c88 in zend_do_fcall_common_helper_SPEC (execute_data = 0x592028)
Zend_vm_execute.h: 642
#14 0x0026d26b in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data = 0x592028)
Zend_vm_execute.h: 2215
#15 0x00264529 in execute (op_array = 0x5ac7a4) at zend_vm_execute.h: 410
#16 0x00225f27 in zend_execute_scripts (type = 8, retval = 0x0, file_count = 3)
Zend. c: 1271
#17 0x00199f29 in php_execute_script (primary_file = 0xbffffa60) at main. c: 2391
#18 0x00000025c in do_cli (argc = 3, argv = 0xbffffc04) at php_cli.c: 983
#19 0x00387837 in main (argc = 3, argv = 0xbffffc04) at php_cli.c: 1356

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

PHP
---
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.php.net