php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #77247 heap buffer overflow in phar_detect_phar_fname_ext
Submitted: 2018-12-06 08:11 UTC Modified: 2019-02-22 22:07 UTC
From: zhihua dot yao at dbappsecurity dot com dot cn Assigned: stas (profile)
Status: Closed Package: PHAR related
PHP Version: 5.6.39 OS:
Private report: No CVE-ID: 2019-9021
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: zhihua dot yao at dbappsecurity dot com dot cn
New email:
PHP Version: OS:

 

 [2018-12-06 08:11 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
Description:
------------
I used afl to find another problem, but it is not the same as the #77143 issue.


$ uname -a
Linux hackyzh-virtual-machine 4.4.0-139-generic #165-Ubuntu SMP Wed Oct 24 10:58:50 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
hackyzh@hackyzh-virtual-machine:~/Desktop$ ./php-src-PHP-7.2.13/sapi/cli/php -v
PHP 7.2.13-dev (cli) (built: Dec  6 2018 11:32:57) ( NTS DEBUG )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies


Test script:
---------------
USE_ZEND_ALLOC=0 ./php-src-PHP-7.2.13/sapi/cli/php -r "var_dump(new Phar(file_get_contents('poc.phar'),0,'test.phar'));"

Actual result:
--------------
$ USE_ZEND_ALLOC=0 ./php-src-PHP-7.2.13/sapi/cli/php -r "var_dump(new Phar(file_get_contents('poc.phar'),0,'test.phar'));"
=================================================================
==44888==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600001bf60 at pc 0x7f17ca1cf935 bp 0x7ffc7b01ac20 sp 0x7ffc7b01a3c8
READ of size 26 at 0x60600001bf60 thread T0
    #0 0x7f17ca1cf934  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x3e934)
    #1 0xf81430 in phar_detect_phar_fname_ext /home/hackyzh/Desktop/php-src-PHP-7.2.13/ext/phar/phar.c:2011
    #2 0xf8479c in phar_split_fname /home/hackyzh/Desktop/php-src-PHP-7.2.13/ext/phar/phar.c:2218
    #3 0xfc279e in zim_Phar___construct /home/hackyzh/Desktop/php-src-PHP-7.2.13/ext/phar/phar_object.c:1178
    #4 0x223908e in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /home/hackyzh/Desktop/php-src-PHP-7.2.13/Zend/zend_vm_execute.h:907
    #5 0x223c022 in execute_ex /home/hackyzh/Desktop/php-src-PHP-7.2.13/Zend/zend_vm_execute.h:59765
    #6 0x2280678 in zend_execute /home/hackyzh/Desktop/php-src-PHP-7.2.13/Zend/zend_vm_execute.h:63776
    #7 0x1c4dc40 in zend_eval_stringl /home/hackyzh/Desktop/php-src-PHP-7.2.13/Zend/zend_execute_API.c:1083
    #8 0x1c4e1c0 in zend_eval_stringl_ex /home/hackyzh/Desktop/php-src-PHP-7.2.13/Zend/zend_execute_API.c:1124
    #9 0x228d5bf in do_cli /home/hackyzh/Desktop/php-src-PHP-7.2.13/sapi/cli/php_cli.c:1042
    #10 0x472cc9 in main /home/hackyzh/Desktop/php-src-PHP-7.2.13/sapi/cli/php_cli.c:1403
    #11 0x7f17c810c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x473308 in _start (/home/hackyzh/Desktop/php-src-PHP-7.2.13/sapi/cli/php+0x473308)

0x60600001bf60 is located 0 bytes to the right of 64-byte region [0x60600001bf20,0x60600001bf60)
allocated by thread T0 here:
    #0 0x7f17ca229961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
    #1 0x1b688c0 in __zend_realloc /home/hackyzh/Desktop/php-src-PHP-7.2.13/Zend/zend_alloc.c:2845

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0c0c7fffb790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fffb7a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fffb7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fffb7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fffb7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c7fffb7e0: fa fa fa fa 00 00 00 00 00 00 00 00[fa]fa fa fa
  0x0c0c7fffb7f0: 00 00 00 00 00 00 00 06 fa fa fa fa 00 00 00 00
  0x0c0c7fffb800: 00 00 06 fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c7fffb810: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fffb820: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0c7fffb830: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==44888==ABORTING

Patches

77247 (last revision 2018-12-26 00:59 UTC by cmb@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-06 08:13 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
poc link:
https://github.com/whiteHat001/FUZZ_POC/blob/master/poc.phar
 [2018-12-06 08:20 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
Or curl http://144.202.86.156/poc.phar -o poc.phar
 [2018-12-07 11:05 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
Hi,
Any response?
 [2018-12-11 11:40 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
My vps is broken.use this url http://149.28.200.107/poc.tar.gz
 [2018-12-16 01:00 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2018-12-16 01:00 UTC] stas@php.net 
From what I understand, the problem is when supplying invalid filename to Phar extension. However, I could not reproduce any issue there: all I get is:

PHP Fatal error:  Uncaught exception 'UnexpectedValueException' with message 'Cannot create phar 'DDDDDDDDDDDDD/.DDDDDDDDDDDdDDDDD_DDDDDD', file extension (or combination) not recognised or the directory does not exist' in Command line code:1
Stack trace:
#0 Command line code(1): Phar->__construct('DDDDDDDDDDDDD/....', 0, 'test.phar')
#1 {main}
  thrown in Command line code on line 1

Am I using a wrong file?
 [2018-12-16 07:44 UTC] zhihua dot yao at dbappsecurity dot com dot cn
-Status: Feedback +Status: Open
 [2018-12-16 07:44 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
Did you use the poc at this address, http://149.28.200.107/poc.tar.gz
The link https://github.com/whiteHat001/FUZZ_POC/blob/master/poc.phar is error
 [2018-12-16 07:47 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
stats,you can use id/000000,sig/06,src/000117,op/havoc,rep/4 or other files.
 [2018-12-24 11:40 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
So can you reproduce this security issue?
 [2018-12-25 07:02 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2018-12-25 07:02 UTC] stas@php.net 
No, I could not reproduce any issue, I just get an error message as described above.
 [2018-12-25 07:30 UTC] zhihua dot yao at dbappsecurity dot com dot cn
-Status: Feedback +Status: Open
 [2018-12-25 07:30 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
Which php version are you using, or are you using USE_ZEND_ALLOC=0?
 [2018-12-25 08:09 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
I think I found the reason, you did not use USE_ZEND_ALLOC=0 options
 [2018-12-26 00:59 UTC] cmb@php.net 
The following patch has been added/updated:

Patch Name: 77247
Revision:   1545785942
URL:        https://bugs.php.net/patch-display.php?bug=77247&patch=77247&revision=1545785942
 [2018-12-26 00:59 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2018-12-26 00:59 UTC] cmb@php.net 
I can confirm OOB reads, even with a much simpler reproducer:

    new Phar('a/.b');

It seems there is a sign confusion regarding a memchr()[1] (the
minus should be a plus).  Could you please try with the attached
77247.patch?

[1] <https://github.com/php/php-src/blob/php-7.3.0/ext/phar/phar.c#L2029>
 [2018-12-26 01:02 UTC] cmb@php.net 
> (the minus should be a plus)

Oops, of course, the other way round.
 [2018-12-26 02:02 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
Has it been patched?Why do I see that the patch is no different from the original code?
 [2018-12-26 09:51 UTC] cmb@php.net 
See <https://gist.github.com/cmb69/2a2c1e3cdcd3a6b8616e1b00e7c19bc5>.
 [2018-12-26 10:14 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
It looks like that has been fixed.I can't reproduce.
 [2018-12-29 02:54 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
Could you apply for cve for this issue?
 [2018-12-30 02:02 UTC] stas@php.net
-CVE-ID: +CVE-ID: needed
 [2018-12-30 02:29 UTC] stas@php.net
-PHP Version: 7.2.13RC1 +PHP Version: 5.6.39 -Assigned To: +Assigned To: stas
 [2018-12-30 02:29 UTC] stas@php.net 
For some reason, on my build AddressSanitizer fails to complain about it (yes, with USE_ZEND_ALLOC=0 too - maybe some optimization effect?) but tracing it manually I see memchr argument too large. 

Added patch to security repo as fd7a753db928db9c8b65d0fc37df08b40d846a4c
 [2019-01-07 08:10 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=428d8164ffcf6f75a6cc9d4056e54bfd450dac03
Log: Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
 [2019-01-07 08:10 UTC] stas@php.net
-Status: Verified +Status: Closed
 [2019-01-07 08:19 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=78bd3477745f1ada9578a79f61edb41886bec1cb
Log: Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
 [2019-01-07 08:19 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=428d8164ffcf6f75a6cc9d4056e54bfd450dac03
Log: Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
 [2019-01-07 08:20 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=78bd3477745f1ada9578a79f61edb41886bec1cb
Log: Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
 [2019-01-07 08:20 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=428d8164ffcf6f75a6cc9d4056e54bfd450dac03
Log: Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
 [2019-01-07 08:20 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=78bd3477745f1ada9578a79f61edb41886bec1cb
Log: Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
 [2019-01-07 08:20 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=428d8164ffcf6f75a6cc9d4056e54bfd450dac03
Log: Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
 [2019-01-07 08:21 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=78bd3477745f1ada9578a79f61edb41886bec1cb
Log: Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
 [2019-01-07 08:21 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=428d8164ffcf6f75a6cc9d4056e54bfd450dac03
Log: Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
 [2019-01-07 13:17 UTC] cmb@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9d388b95c54ea053ce6f194defe1ff6673195747
Log: Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
 [2019-02-16 14:04 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
Can I ask the number of this cve? I need to use this cve for some use.
 [2019-02-22 22:07 UTC] stas@php.net
-CVE-ID: needed +CVE-ID: 2019-9021
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 15:01:30 2024 UTC