php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #77429 heap buffer overflow in format_converter
Submitted: 2019-01-08 02:54 UTC Modified: 2019-02-10 12:06 UTC
From: zhihua dot yao at dbappsecurity dot com dot cn Assigned: cmb (profile)
Status: Duplicate Package: XMLRPC-EPI related
PHP Version: 7.1.25 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: zhihua dot yao at dbappsecurity dot com dot cn
New email:
PHP Version: OS:

 

 [2019-01-08 02:54 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
Description:
------------
I used afl to find the xmlrpc_decode vulnerability.

POC link
https://drive.google.com/file/d/1UVTLABYBVNt5BU5GLu2G_TLXEjufyasV/view?usp=sharing




Test script:
---------------
 USE_ZEND_ALLOC=0 ./php-7.1.25/sapi/cli/php -r '$a=xmlrpc_decode(base64_decode(file_get_contents("./out/crashes/id:000000,sig:06,src:000074+000072,op:splice,rep:32")));'

Actual result:
--------------
=================================================================
==48090==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000cd90 at pc 0x7fb477bb320b bp 0x7fff5119c9e0 sp 0x7fff5119c188
READ of size 38 at 0x60d00000cd90 thread T0
    #0 0x7fb477bb320a in __interceptor_strlen (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x7020a)
    #1 0x1901b21 in format_converter /home/hackyzh/Desktop/php-7.1.25/main/snprintf.c:997
    #2 0x18fd426 in strx_printv /home/hackyzh/Desktop/php-7.1.25/main/snprintf.c:1252
    #3 0x18fd426 in ap_php_snprintf /home/hackyzh/Desktop/php-7.1.25/main/snprintf.c:1297
    #4 0x18bbf5f in xml_elem_parse_buf /home/hackyzh/Desktop/php-7.1.25/ext/xmlrpc/libxmlrpc/xml_element.c:727
    #5 0x18d02ea in XMLRPC_REQUEST_FromXML /home/hackyzh/Desktop/php-7.1.25/ext/xmlrpc/libxmlrpc/xmlrpc.c:810
    #6 0x189aa92 in decode_request_worker /home/hackyzh/Desktop/php-7.1.25/ext/xmlrpc/xmlrpc-epi-php.c:755
    #7 0x189aa92 in zif_xmlrpc_decode /home/hackyzh/Desktop/php-7.1.25/ext/xmlrpc/xmlrpc-epi-php.c:810
    #8 0x1e9fd4f in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/hackyzh/Desktop/php-7.1.25/Zend/zend_vm_execute.h:675
    #9 0x213b136 in execute_ex /home/hackyzh/Desktop/php-7.1.25/Zend/zend_vm_execute.h:429
    #10 0x220c5e4 in zend_execute /home/hackyzh/Desktop/php-7.1.25/Zend/zend_vm_execute.h:474
    #11 0x1b23450 in zend_eval_stringl /home/hackyzh/Desktop/php-7.1.25/Zend/zend_execute_API.c:1120
    #12 0x1b239a0 in zend_eval_stringl_ex /home/hackyzh/Desktop/php-7.1.25/Zend/zend_execute_API.c:1161
    #13 0x22194b8 in do_cli /home/hackyzh/Desktop/php-7.1.25/sapi/cli/php_cli.c:1024
    #14 0x467bc0 in main /home/hackyzh/Desktop/php-7.1.25/sapi/cli/php_cli.c:1381
    #15 0x7fb476cb682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #16 0x4681f8 in _start (/home/hackyzh/Desktop/php-7.1.25/sapi/cli/php+0x4681f8)

0x60d00000cd90 is located 0 bytes to the right of 144-byte region [0x60d00000cd00,0x60d00000cd90)
allocated by thread T0 here:
    #0 0x7fb477bdb602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x1a40460 in __zend_malloc /home/hackyzh/Desktop/php-7.1.25/Zend/zend_alloc.c:2838

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __interceptor_strlen
Shadow bytes around the buggy address:
  0x0c1a7fff9960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff99a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1a7fff99b0: 00 00[fa]fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c1a7fff99c0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c1a7fff99d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff99e0: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 00 00
  0x0c1a7fff99f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c1a7fff9a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==48090==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-09 11:58 UTC] cmb@php.net 
I can't detect any issues with valgrind running PHP 7.1.25.
Anyhow, this might be a duplicate of bug 77242, which is already
fixed in the PHP-7.1 branch, and in PHP 7.1.26.  So could you
please check with any of these?

[1] <https://bugs.php.net/bug.php?id=77242>
 [2019-01-09 12:06 UTC] cmb@php.net
-Package: *XML functions +Package: XMLRPC-EPI related
 [2019-01-09 12:45 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
Yes, maybe it’s duplicate of bug 77242.After patching, I will test it again.
 [2019-02-10 02:00 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2019-02-10 07:35 UTC] zhihua dot yao at dbappsecurity dot com dot cn
-Status: Feedback +Status: Open
 [2019-02-10 07:35 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
It has been fixed.
 [2019-02-10 12:06 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2019-02-10 12:06 UTC] cmb@php.net 
Thanks for the confirmation!  Closing as duplicate of bug #77242.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 14:01:29 2024 UTC