php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #77429 heap buffer overflow in format_converter
Submitted: 2019-01-08 02:54 UTC Modified: 2019-02-10 12:06 UTC
From: zhihua dot yao at dbappsecurity dot com dot cn Assigned: cmb (profile)
Status: Duplicate Package: XMLRPC-EPI related
PHP Version: 7.1.25 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: zhihua dot yao at dbappsecurity dot com dot cn
New email:
PHP Version: OS:

 

 [2019-01-08 02:54 UTC] zhihua dot yao at dbappsecurity dot com dot cn
Description:
------------
I used afl to find the xmlrpc_decode vulnerability.

POC link
https://drive.google.com/file/d/1UVTLABYBVNt5BU5GLu2G_TLXEjufyasV/view?usp=sharing




Test script:
---------------
 USE_ZEND_ALLOC=0 ./php-7.1.25/sapi/cli/php -r '$a=xmlrpc_decode(base64_decode(file_get_contents("./out/crashes/id:000000,sig:06,src:000074+000072,op:splice,rep:32")));'

Actual result:
--------------
=================================================================
==48090==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000cd90 at pc 0x7fb477bb320b bp 0x7fff5119c9e0 sp 0x7fff5119c188
READ of size 38 at 0x60d00000cd90 thread T0
    #0 0x7fb477bb320a in __interceptor_strlen (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x7020a)
    #1 0x1901b21 in format_converter /home/hackyzh/Desktop/php-7.1.25/main/snprintf.c:997
    #2 0x18fd426 in strx_printv /home/hackyzh/Desktop/php-7.1.25/main/snprintf.c:1252
    #3 0x18fd426 in ap_php_snprintf /home/hackyzh/Desktop/php-7.1.25/main/snprintf.c:1297
    #4 0x18bbf5f in xml_elem_parse_buf /home/hackyzh/Desktop/php-7.1.25/ext/xmlrpc/libxmlrpc/xml_element.c:727
    #5 0x18d02ea in XMLRPC_REQUEST_FromXML /home/hackyzh/Desktop/php-7.1.25/ext/xmlrpc/libxmlrpc/xmlrpc.c:810
    #6 0x189aa92 in decode_request_worker /home/hackyzh/Desktop/php-7.1.25/ext/xmlrpc/xmlrpc-epi-php.c:755
    #7 0x189aa92 in zif_xmlrpc_decode /home/hackyzh/Desktop/php-7.1.25/ext/xmlrpc/xmlrpc-epi-php.c:810
    #8 0x1e9fd4f in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/hackyzh/Desktop/php-7.1.25/Zend/zend_vm_execute.h:675
    #9 0x213b136 in execute_ex /home/hackyzh/Desktop/php-7.1.25/Zend/zend_vm_execute.h:429
    #10 0x220c5e4 in zend_execute /home/hackyzh/Desktop/php-7.1.25/Zend/zend_vm_execute.h:474
    #11 0x1b23450 in zend_eval_stringl /home/hackyzh/Desktop/php-7.1.25/Zend/zend_execute_API.c:1120
    #12 0x1b239a0 in zend_eval_stringl_ex /home/hackyzh/Desktop/php-7.1.25/Zend/zend_execute_API.c:1161
    #13 0x22194b8 in do_cli /home/hackyzh/Desktop/php-7.1.25/sapi/cli/php_cli.c:1024
    #14 0x467bc0 in main /home/hackyzh/Desktop/php-7.1.25/sapi/cli/php_cli.c:1381
    #15 0x7fb476cb682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #16 0x4681f8 in _start (/home/hackyzh/Desktop/php-7.1.25/sapi/cli/php+0x4681f8)

0x60d00000cd90 is located 0 bytes to the right of 144-byte region [0x60d00000cd00,0x60d00000cd90)
allocated by thread T0 here:
    #0 0x7fb477bdb602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x1a40460 in __zend_malloc /home/hackyzh/Desktop/php-7.1.25/Zend/zend_alloc.c:2838

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __interceptor_strlen
Shadow bytes around the buggy address:
  0x0c1a7fff9960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff99a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1a7fff99b0: 00 00[fa]fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c1a7fff99c0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c1a7fff99d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff99e0: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 00 00
  0x0c1a7fff99f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c1a7fff9a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==48090==ABORTING


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-09 11:58 UTC] cmb@php.net
I can't detect any issues with valgrind running PHP 7.1.25.
Anyhow, this might be a duplicate of bug 77242, which is already
fixed in the PHP-7.1 branch, and in PHP 7.1.26.  So could you
please check with any of these?

[1] <https://bugs.php.net/bug.php?id=77242>
 [2019-01-09 12:06 UTC] cmb@php.net
-Package: *XML functions +Package: XMLRPC-EPI related
 [2019-01-09 12:45 UTC] zhihua dot yao at dbappsecurity dot com dot cn
Yes, maybe it’s duplicate of bug 77242.After patching, I will test it again.
 [2019-02-10 02:00 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2019-02-10 07:35 UTC] zhihua dot yao at dbappsecurity dot com dot cn
-Status: Feedback +Status: Open
 [2019-02-10 07:35 UTC] zhihua dot yao at dbappsecurity dot com dot cn
It has been fixed.
 [2019-02-10 12:06 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2019-02-10 12:06 UTC] cmb@php.net
Thanks for the confirmation!  Closing as duplicate of bug #77242.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 22:01:27 2024 UTC