PHP "exif_process_IFD_TAG ()" remote Integer Overflow Vulnerability

Source: Internet
Author: User

Release date: 2011-12-05
Updated on: 2011-12-06

Affected Systems:
PHP 5.4.0beta2
Description:
--------------------------------------------------------------------------------
Bugtraq id: 50907
Cve id: CVE-2011-4566

PHP is a script language running on a computer. It is mainly used to process dynamic web pages, including command line interfaces or graphical user interface programs.

The PHP implementation vulnerability exists. In the 32-bit version, the function exif_process_IFD_TAG does not correctly check the value of offset_val. Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code in the affected Web server, this vulnerability may cause denial of service.

<* Source: flolechaud

Link: https://bugs.php.net/bug.php? Id = 60150
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

====
Exif. c: 2852:

Value_ptr = offset_base + offset_val;
If (offset_val + byte_count> IFDlength | value_ptr <dir_entry)
{
====

The check (offset_val + byte_count) is not safe:

(Gdb)
2852 value_ptr = offset_base + offset_val;
(Gdb)
2853 if (offset_val + byte_count> IFDlength | value_ptr <
Dir_entry ){
(Gdb)
2905 ImageInfo-> sections_found | = FOUND_ANY_TAG;
(Gdb) p/x offset_base
$1 = 0x5af564
(Gdb) p/x offset_val
$2 = 0xf20008bc
(Gdb) p/x value_ptr
$3 = 0xf25afe20
(Gdb) p/x offset_val
$4 = 0xf20008bc
(Gdb) p/x byte_count
$5 = 0xe000067
(Gdb) p/x IFDlength
$6 = 0x1586
(Gdb) p/x offset_val + byte_count
$7 = 0x923
(Gdb) p/x (int64_t) offset_val + byte_count
$8 = 0x100000923

 

$ CFLAGS = "-m32-g" CXXFLAGS = "-m32-g"./configure -- disable-all -- enable-exif
$ CFLAGS = "-m32-g" CXXFLAGS = "-m32-g" make

$ Php -- version
PHP 5.4.0beta1 (cli) (built: Oct 19 2011 21:15:00)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2011 Zend Technologies

 

Test script:
---------------
Florent $ cat run. php
<? Php

$ Exif = exif_read_data ($ argv [1]);

?>

Florent $ php run. php./sample.jpg


Expected result:
----------------
Warning or Error without bad pointer dereference.

Actual result:
--------------
(Gdb) r run. php./Sample.jpg
Starting program:/Users/florent/Downloads/php-5.4.0beta1/sapi/cli/php run. php
./Sample.jpg
Reading symbols for shared libraries ++ .......... done

Program received signal EXC_BAD_ACCESS, cocould not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xf25afe24
0x0008ba9c in php_strnlen (str = 0xf25afe24 <Address 0xf25afe24 out of bounds>,
Maxlen = 234881127) at exif. c: 296
296 if (str & maxlen & * str ){
(Gdb) bt
#0 0x0008ba9c in php_strnlen (str = 0xf25afe24 <Address 0xf25afe24 out
Bounds>, maxlen = 234881127) at exif. c: 296
#1 0x0008cf04 in exif_iif_add_value (image_info = 0xbfffee30, section_index = 7,
Name = 0xbfffe818 "DateTimeOriginal", tag = 36867, format = 2, length = 234881127,
Value = 0xf25afe24, effecla_intel = 0) at exif. c: 1699
#2 0x0008d284 in exif_iif_add_tag (image_info = 0xbfffee30, section_index = 7,
Name = 0xbfffe818 "DateTimeOriginal", tag = 36867, format = 2, length = 234881127,
Value = 0xf25afe24) at exif. c: 1803
#3 0x00090b56 in exif_process_IFD_TAG (ImageInfo = 0xbfffee30, dir_entry = 0x5af6a8
"\ 003? \ 002 ", offset_base = 0x5af568" II * ", IFDlength = 5510, displacement = 12,
Section_index = 7, ReadNextIFD = 1, tag_table = 0x4291a0) at exif. c: 3110
#4 0x00090d20 in exif_process_IFD_in_JPEG (ImageInfo = 0xbfffee30,
Dir_start = 0x5af66a "#", offset_base = 0x5af568 "II *", IFDlength = 5510,
Displacement = 12, section_index = 7) at exif. c: 3138
#5 0x00090ae3 in exif_process_IFD_TAG (ImageInfo = 0xbfffee30, dir_entry = 0x5af5ea
"I? \ 004 ", offset_base = 0x5af568" II * ", IFDlength = 5510, displacement = 12,
Section_index = 3, ReadNextIFD = 1, tag_table = 0x4291a0) at exif. c: 3101
#6 0x00090d20 in exif_process_IFD_in_JPEG (ImageInfo = 0xbfffee30,
Dir_start = 0x5af570 "\ f", offset_base = 0x5af568 "II *", IFDlength = 5510,
Displacement = 12, section_index = 3) at exif. c: 3138
#7 0x00091032 in exif_process_TIFF_in_JPEG (ImageInfo = 0xbfffee30,
CharBuf = 0x5af568 "II *", length = 5510, displacement = 12) at exif. c: 3215
#8 0x0009114a in exif_process_APP1 (ImageInfo = 0xbfffee30, CharBuf = 0x5af560
"\ 025? Exif ", length = 5518, displacement = 4) at exif. c: 3240
#9 0x00091792 in exif_scan_JPEG_header (ImageInfo = 0xbfffee30) at exif. c: 3385
#10 0x000927e4 in exif_scan_FILE_header (ImageInfo = 0xbfffee30) at exif. c: 3763
#11 0x000931c8 in exif_read_file (ImageInfo = 0xbfffee30, FileName = 0x5aa3c4
"./Sample.jpg", read_thumbnail = 0, read_all = 0) at exif. c: 3902
#12 0x00093412 in zif_exif_read_data (ht = 1, return_value = 0x5ab254,
Return_value_ptr = 0x0, this_ptr = 0x0, return_value_used = 1) at exif. c: 3955
#13 0x00265c88 in zend_do_fcall_common_helper_SPEC (execute_data = 0x592028)
Zend_vm_execute.h: 642
#14 0x0026d26b in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data = 0x592028)
Zend_vm_execute.h: 2215
#15 0x00264529 in execute (op_array = 0x5ac7a4) at zend_vm_execute.h: 410
#16 0x00225f27 in zend_execute_scripts (type = 8, retval = 0x0, file_count = 3)
Zend. c: 1271
#17 0x00199f29 in php_execute_script (primary_file = 0xbffffa60) at main. c: 2391
#18 0x00000025c in do_cli (argc = 3, argv = 0xbffffc04) at php_cli.c: 983
#19 0x00387837 in main (argc = 3, argv = 0xbffffc04) at php_cli.c: 1356

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

PHP
---
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.php.net

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.