php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #54681 addGlob() crashes on invalid flags
Submitted: 2011-05-07 00:58 UTC Modified: 2011-08-22 11:44 UTC
From: cxib at securityreason dot com Assigned: pajoye
Status: Closed Package: *General Issues
PHP Version: 5.3.6 OS: NetBSD
Private report: No CVE-ID:
 [2011-05-07 00:58 UTC] cxib at securityreason dot com
Description:
------------
For first function addGlob and addPattern are not described in manual
http://pl2.php.net/manual/en/class.ziparchive.php

ext/zip/php_zip.c
1629 	/* 1 == glob, 2==pcre */
1630 	if (type == 1) {
1631 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|la",
1632 	&pattern, &pattern_len, &flags, &options) == FAILURE) {
1633 	return;
1634 	}
1635 	} else {
1636 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|sa",
1637 	&pattern, &pattern_len, &path, &path_len, &options) == FAILURE) {
1638 	return;
1639 	}
1640 	}
1641

There are no GLOB flags validation like in php/glob(). So limit flags only to
GLOB_MARK|GLOB_NOSORT|GLOB_NOCHECK|GLOB_NOESCAPE|GLOB_BRACE|GLOB_ONLYDIR|GLOB_ERR

like
http://pl2.php.net/manual/en/function.glob.php

    * GLOB_MARK - Adds a slash to each directory returned
    * GLOB_NOSORT - Return files as they appear in the directory (no
sorting)
    * GLOB_NOCHECK - Return the search pattern if no files matching it
were found
    * GLOB_NOESCAPE - Backslashes do not quote metacharacters
    * GLOB_BRACE - Expands {a,b,c} to match 'a', 'b', or 'c'
    * GLOB_ONLYDIR - Return only directory entries which match the pattern
    * GLOB_ERR - Stop on read errors (like unreadable directories), by
default errors are ignored.



Test script:
---------------
The crash come, when we run libc/glob(3) function with incorrect flag.
Tested also on linux/ubuntu and (netbsd)

cx@cx64:~$ php -v
PHP 5.3.3-1ubuntu9.3 with Suhosin-Patch (cli) (built: Jan 12 2011 16:07:38)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
cx@cx64:~$ uname -a
Linux cx64 2.6.35-28-generic #49-Ubuntu SMP Tue Mar 1 14:39:03 UTC 2011
x86_64 GNU/Linux
cx@cx64:/www$ cat zip.php
<?php

unlink("empty.zip");

fopen("empty.zip","a");

$nx=new
ZipArchive();$nx->open("empty.zip");$nx->addGlob(str_repeat("*",333333),0x39);
?>cx@cx64:/www$ php zip.php
Segmentation fault

Actual result:
--------------
Segmentation fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-05-07 01:00 UTC] felipe@php.net
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2011-05-07 01:27 UTC] cxib at securityreason dot com
use CVE-2011-1657
 [2011-05-07 02:26 UTC] pajoye@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: pajoye
 [2011-05-07 02:26 UTC] pajoye@php.net
-CVE-ID: +CVE-ID: 2011-1657
 [2011-05-07 03:58 UTC] felipe@php.net
-Summary: addGlob addPattern buffer overflow +Summary: addGlob() crashes on invalid flags
 [2011-05-07 03:58 UTC] felipe@php.net
Hi, this is not a buffer overflow issue. But an error on glob() due the invalid (or unsupported) flags.

Anyway, the checks from glob() were added in the addGlob() method.


Thanks.
 [2011-05-07 03:58 UTC] felipe@php.net
Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=310814
Log: - Fixed bug #54681 (addGlob() crashes on invalid flags)
 [2011-05-07 03:58 UTC] felipe@php.net
-Status: Assigned +Status: Closed
 [2011-05-07 03:58 UTC] felipe@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2011-05-07 03:59 UTC] felipe@php.net
Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=310815
Log: - BFN #54681
 [2011-05-07 21:16 UTC] cxib at securityreason dot com
I agree with you that the issue is due the invalid (or unsupported) flags. Consequently, it can lead to many others symptoms. With glob(3) function in linux, we can get stack exhaustion like was discovered in fnmatch/php. 

http://svn.php.net/viewvc?view=revision&revision=298881

However, in my opinion, the GNU was responsible for this bug. Not PHP. 

There is a big difference between glob (3) in the Linux and BSD. However, uncontrolled 'flag' parameter to the function glob in both cases will generate different susceptibility.

Thanks for fix
 [2011-08-20 14:52 UTC] max at cxib dot net
poc

http://pastebin.com/RTmWQaDY
 [2011-08-21 11:54 UTC] pajoye@php.net
@max at cxib dot net

Still happening with the fix?
 [2011-08-22 11:44 UTC] cxib at securityreason dot com
no. just reported poc to confirm security problem under bsd
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 21:01:55 2014 UTC