|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2015-04-29 11:00 UTC] emmanuel dot law at gmail dot com
-PHP Version: 5.6.8RC1
+PHP Version: 5.6.8
[2015-04-29 11:00 UTC] emmanuel dot law at gmail dot com
[2015-05-12 19:40 UTC] stas@php.net
[2015-05-12 19:40 UTC] stas@php.net
-Status: Open
+Status: Closed
[2015-05-12 22:58 UTC] stas@php.net
[2015-05-13 10:53 UTC] jpauli@php.net
[2015-05-19 05:33 UTC] laruence@php.net
-Assigned To:
+Assigned To: laruence
-CVE-ID:
+CVE-ID: 2015-4021
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 13:01:29 2024 UTC |
Description: ------------ This is a single byte memory corruption vulnerability. It is triggered when a tar entry->filename starts with a null byte. At tar.c:430 entry.filename_len will be set to zero. if (hdr->name[i] == '\0') { break; } entry.filename_len = i; This will result in an underflow in the array index at tar.437 : if (entry.filename[entry.filename_len - 1] == '/') { entry.filename[entry.filename_len - 1] = '\0'; entry.filename_len--; } Since entry.filename is pointing to a heap chunk (zend_mm_block), on a x86 machine, it has the potential to corrupt the heap chunk metadata. on x64 machine, it has the potential to corrupt 1 byte at the offset entry.filename+0xFFFFFFFF Test script: --------------- POC here: https://www.dropbox.com/s/dg8uit7533e8q8l/POC_1byte_corruption.zip?dl=0 $ ./php POC_FileName_Nullbyte_crash.php Segmentation fault Actual result: -------------- gdb-peda$ frame #0 phar_parse_tarfile (fp=0x7ffff7fbdfe0, fname=0x7ffff7fbeb20 "/home/elaw/php-5.6.7/sapi/cli/PHAR_TAR_GZ_FUZZING/WIP_POC__null_byte_filename.tar.phar", fname_len=0x56, alias=0x0, alias_len=0x0, pphar=0x7fffffffa760, is_data=0x0, compression=0x0, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/tar.c:437 437 if (entry.filename[entry.filename_len - 1] == '/') { gdb-peda$ p entry.filename_len $2 = 0x0 gdb-peda$ p entry.filename_len -1 $3 = 0xffffffff <<< integer underflow gdb-peda$ bt #0 phar_parse_tarfile (fp=0x7ffff7fbdfe0, fname=0x7ffff7fbeb20 "/home/elaw/php-5.6.7/sapi/cli/PHAR_TAR_GZ_FUZZING/WIP_POC__null_byte_filename.tar.phar", fname_len=0x56, alias=0x0, alias_len=0x0, pphar=0x7fffffffa760, is_data=0x0, compression=0x0, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/tar.c:437 #1 0x00000000006339d2 in phar_open_from_fp (fp=0x7ffff7fbdfe0, fname=0x7ffff7fbeb20 "/home/elaw/php-5.6.7/sapi/cli/PHAR_TAR_GZ_FUZZING/WIP_POC__null_byte_filename.tar.phar", fname_len=0x56, alias=0x0, alias_len=0x0, options=0x8, pphar=0x7fffffffa760, is_data=0x0, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/phar.c:1709 #2 0x00000000006326f4 in phar_create_or_parse_filename (fname=0x7ffff7fbeb20 "/home/elaw/php-5.6.7/sapi/cli/PHAR_TAR_GZ_FUZZING/WIP_POC__null_byte_filename.tar.phar", fname_len=0x56, alias=0x0, alias_len=0x0, is_data=0x0, options=0x8, pphar=0x7fffffffa760, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/phar.c:1346 #3 0x0000000000612018 in phar_open_or_create_tar (fname=0x7ffff7fbe688 "WIP_POC__null_byte_filename.tar.phar", fname_len=0x24, alias=0x0, alias_len=0x0, is_data=0x0, options=0x8, pphar=0x7fffffffa878, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/tar.c:130 #4 0x00000000006325d3 in phar_open_or_create_filename (fname=0x7ffff7fbe688 "WIP_POC__null_byte_filename.tar.phar", fname_len=0x24, alias=0x0, alias_len=0x0, is_data=0x0, options=0x8, pphar=0x7fffffffa878, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/phar.c:1312 #5 0x000000000063e438 in zim_Phar___construct (ht=0x2, return_value=0x7ffff7fbc350, return_value_ptr=0x7ffff7f854d0, this_ptr=0x7ffff7fbc440, return_value_used=0x0) at /home/elaw/php-5.6.8RC1/ext/phar/phar_object.c:1189