PHP :: Sec Bug #69441 :: Buffer Over flow when parsing tar/zip/phar in phar_set

Sec Bug #69441	Buffer Over flow when parsing tar/zip/phar in phar_set_inode
Submitted:	2015-04-14 05:35 UTC	Modified:	2015-04-17 20:55 UTC
From:	emmanuel dot law at gmail dot com	Assigned:	stas (profile)
Status:	Closed	Package:	PHAR related
PHP Version:	5.6.8RC1	OS:	*
Private report:	No	CVE-ID:	2015-3329

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	emmanuel dot law at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2015-04-14 05:35 UTC] emmanuel dot law at gmail dot com

Description:
------------
There is a buffer over flow vulnerability when parsing tar/zip/phar via the PHAR & PHARData class. The vulnerability is in phar_set_inode() @  phar_internal.h:535.

A buffer is allocated at @  phar_internal.h:536
char tmp[MAXPATHLEN];

On my 64bits ubuntu, MAXPATHLEN = 0x1000

The vulnerability is triggered further down @  phar_internal.h:540
	tmp_len = entry->filename_len + entry->phar->fname_len;
	memcpy(tmp, entry->phar->fname, entry->phar->fname_len);
	memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len); 


There is no validation that tmp_len is smaller then MAXPATHLEN.  Both entry->filename_len & entry->phar->fname_len are obtained directly from the file and thus controllable by an attacker. This results in a buffer-over-flow vulnerability in the subsequent memcopy.


There are multiple pathways to trigger this vulnerable point:
-Parsing Tar file
-Pharsing Phar file
-Pharsing Zip file


Test script:
---------------
I've created both a tar and zip archive that triggers this vulnerability:
https://www.dropbox.com/s/al8x6v7cv6yr72g/POC_BOF_Php_phar_set_inode.zip?dl=0

Test Environment:
-x64 ubuntu
./configure --enable-zip --enable-debug


Actual result:
--------------


Breakpoint 1, phar_set_inode (entry=0x7ffffffea030) at /home/elaw/php-5.6.8RC1/ext/phar/phar_internal.h:540
540             tmp_len = entry->filename_len + entry->phar->fname_len;

gdb-peda$ p sizeof(tmp)
$1 = 0x1000
gdb-peda$ p tmp_len
$2 = 0x102d

gdb-peda$ bt
#0  phar_set_inode (entry=0x7ffffffea030) at /home/elaw/php-5.6.8RC1/ext/phar/phar_internal.h:541
#1  0x000000000061db85 in phar_parse_zipfile (fp=0x7ffff7fbf610, fname=0x7ffff7fc00a0 "/home/elaw/php-5.6.8RC1/sapi/cli/POC_BOF.phar", fname_len=0x2d, alias=0x0, alias_len=0x0,
    pphar=0x7fffffffa8a8, error=0x7fffffffa8e8) at /home/elaw/php-5.6.8RC1/ext/phar/zip.c:638
#2  0x000000000063394f in phar_open_from_fp (fp=0x7ffff7fbf610, fname=0x7ffff7fc00a0 "/home/elaw/php-5.6.8RC1/sapi/cli/POC_BOF.phar", fname_len=0x2d, alias=0x0, alias_len=0x0,
    options=0x8, pphar=0x7fffffffa8a8, is_data=0x0, error=0x7fffffffa8e8) at /home/elaw/php-5.6.8RC1/ext/phar/phar.c:1703
#3  0x00000000006326f4 in phar_create_or_parse_filename (fname=0x7ffff7fc00a0 "/home/elaw/php-5.6.8RC1/sapi/cli/POC_BOF.phar", fname_len=0x2d, alias=0x0, alias_len=0x0,
    is_data=0x0, options=0x8, pphar=0x7fffffffa8a8, error=0x7fffffffa8e8) at /home/elaw/php-5.6.8RC1/ext/phar/phar.c:1346
#4  0x0000000000632602 in phar_open_or_create_filename (fname=0x7ffff7fbe4f8 "POC_BOF.phar", fname_len=0xc, alias=0x0, alias_len=0x0, is_data=0x0, options=0x8,
    pphar=0x7fffffffa8a8, error=0x7fffffffa8e8) at /home/elaw/php-5.6.8RC1/ext/phar/phar.c:1315
#5  0x000000000063e438 in zim_Phar___construct (ht=0x2, return_value=0x7ffff7fbf878, return_value_ptr=0x7ffff7f854b8, this_ptr=0x7ffff7fbec00, return_value_used=0x0)
    at /home/elaw/php-5.6.8RC1/ext/phar/phar_object.c:1189
#6  0x000000000084ef6a in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f858f0) at /home/elaw/php-5.6.8RC1/Zend/zend_vm_execute.h:558
#7  0x000000000084f741 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7ffff7f858f0) at /home/elaw/php-5.6.8RC1/Zend/zend_vm_execute.h:693
#8  0x000000000084e5d3 in execute_ex (execute_data=0x7ffff7f858f0) at /home/elaw/php-5.6.8RC1/Zend/zend_vm_execute.h:363
#9  0x000000000084e65c in zend_execute (op_array=0x7ffff7fbd0e0) at /home/elaw/php-5.6.8RC1/Zend/zend_vm_execute.h:388
#10 0x000000000080ae07 in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3) at /home/elaw/php-5.6.8RC1/Zend/zend.c:1341
#11 0x00000000007763a9 in php_execute_script (primary_file=0x7fffffffdfc0) at /home/elaw/php-5.6.8RC1/main/main.c:2597
#12 0x00000000008bcaee in do_cli (argc=0x2, argv=0xf97f00) at /home/elaw/php-5.6.8RC1/sapi/cli/php_cli.c:994
#13 0x00000000008bdbfb in main (argc=0x2, argv=0xf97f00) at /home/elaw/php-5.6.8RC1/sapi/cli/php_cli.c:1378
#14 0x00007ffff624eb45 in __libc_start_main (main=0x8bd55b <main>, argc=0x2, argv=0x7fffffffe348, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
    stack_end=0x7fffffffe338) at libc-start.c:287
#15 0x0000000000421719 in _start ()


Stopped reason: SIGSEGV
0x00000000deadbeef in ?? ()
gdb-peda$ p $rip
$1 = (void (*)()) 0xdeadbeef

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-04-14 07:21 UTC] stas@php.net

-Assigned To: +Assigned To: stas

[2015-04-14 07:29 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f59b67ae50064560d7bfcdb0d6a8ab284179053c
Log: Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode)

[2015-04-14 07:29 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2015-04-14 08:31 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f59b67ae50064560d7bfcdb0d6a8ab284179053c
Log: Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode)

[2015-04-15 08:43 UTC] jpauli@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=945b9ffee666e147231a1f37da69eb8d05e3193c
Log: Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode)

[2015-04-17 20:55 UTC] stas@php.net

-CVE-ID: +CVE-ID: 2015-3329

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 15:01:30 2024 UTC