php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #69441 Buffer Over flow when parsing tar/zip/phar in phar_set_inode
Submitted: 2015-04-14 05:35 UTC Modified: 2015-04-17 20:55 UTC
From: emmanuel dot law at gmail dot com Assigned: stas
Status: Closed Package: PHAR related
PHP Version: 5.6.8RC1 OS: *
Private report: No CVE-ID: 2015-3329
 [2015-04-14 05:35 UTC] emmanuel dot law at gmail dot com
Description:
------------
There is a buffer over flow vulnerability when parsing tar/zip/phar via the PHAR & PHARData class. The vulnerability is in phar_set_inode() @  phar_internal.h:535.

A buffer is allocated at @  phar_internal.h:536
char tmp[MAXPATHLEN];

On my 64bits ubuntu, MAXPATHLEN = 0x1000

The vulnerability is triggered further down @  phar_internal.h:540
	tmp_len = entry->filename_len + entry->phar->fname_len;
	memcpy(tmp, entry->phar->fname, entry->phar->fname_len);
	memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len); 


There is no validation that tmp_len is smaller then MAXPATHLEN.  Both entry->filename_len & entry->phar->fname_len are obtained directly from the file and thus controllable by an attacker. This results in a buffer-over-flow vulnerability in the subsequent memcopy.


There are multiple pathways to trigger this vulnerable point:
-Parsing Tar file
-Pharsing Phar file
-Pharsing Zip file


Test script:
---------------
I've created both a tar and zip archive that triggers this vulnerability:
https://www.dropbox.com/s/al8x6v7cv6yr72g/POC_BOF_Php_phar_set_inode.zip?dl=0

Test Environment:
-x64 ubuntu
./configure --enable-zip --enable-debug


Actual result:
--------------


Breakpoint 1, phar_set_inode (entry=0x7ffffffea030) at /home/elaw/php-5.6.8RC1/ext/phar/phar_internal.h:540
540             tmp_len = entry->filename_len + entry->phar->fname_len;

gdb-peda$ p sizeof(tmp)
$1 = 0x1000
gdb-peda$ p tmp_len
$2 = 0x102d

gdb-peda$ bt
#0  phar_set_inode (entry=0x7ffffffea030) at /home/elaw/php-5.6.8RC1/ext/phar/phar_internal.h:541
#1  0x000000000061db85 in phar_parse_zipfile (fp=0x7ffff7fbf610, fname=0x7ffff7fc00a0 "/home/elaw/php-5.6.8RC1/sapi/cli/POC_BOF.phar", fname_len=0x2d, alias=0x0, alias_len=0x0,
    pphar=0x7fffffffa8a8, error=0x7fffffffa8e8) at /home/elaw/php-5.6.8RC1/ext/phar/zip.c:638
#2  0x000000000063394f in phar_open_from_fp (fp=0x7ffff7fbf610, fname=0x7ffff7fc00a0 "/home/elaw/php-5.6.8RC1/sapi/cli/POC_BOF.phar", fname_len=0x2d, alias=0x0, alias_len=0x0,
    options=0x8, pphar=0x7fffffffa8a8, is_data=0x0, error=0x7fffffffa8e8) at /home/elaw/php-5.6.8RC1/ext/phar/phar.c:1703
#3  0x00000000006326f4 in phar_create_or_parse_filename (fname=0x7ffff7fc00a0 "/home/elaw/php-5.6.8RC1/sapi/cli/POC_BOF.phar", fname_len=0x2d, alias=0x0, alias_len=0x0,
    is_data=0x0, options=0x8, pphar=0x7fffffffa8a8, error=0x7fffffffa8e8) at /home/elaw/php-5.6.8RC1/ext/phar/phar.c:1346
#4  0x0000000000632602 in phar_open_or_create_filename (fname=0x7ffff7fbe4f8 "POC_BOF.phar", fname_len=0xc, alias=0x0, alias_len=0x0, is_data=0x0, options=0x8,
    pphar=0x7fffffffa8a8, error=0x7fffffffa8e8) at /home/elaw/php-5.6.8RC1/ext/phar/phar.c:1315
#5  0x000000000063e438 in zim_Phar___construct (ht=0x2, return_value=0x7ffff7fbf878, return_value_ptr=0x7ffff7f854b8, this_ptr=0x7ffff7fbec00, return_value_used=0x0)
    at /home/elaw/php-5.6.8RC1/ext/phar/phar_object.c:1189
#6  0x000000000084ef6a in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f858f0) at /home/elaw/php-5.6.8RC1/Zend/zend_vm_execute.h:558
#7  0x000000000084f741 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7ffff7f858f0) at /home/elaw/php-5.6.8RC1/Zend/zend_vm_execute.h:693
#8  0x000000000084e5d3 in execute_ex (execute_data=0x7ffff7f858f0) at /home/elaw/php-5.6.8RC1/Zend/zend_vm_execute.h:363
#9  0x000000000084e65c in zend_execute (op_array=0x7ffff7fbd0e0) at /home/elaw/php-5.6.8RC1/Zend/zend_vm_execute.h:388
#10 0x000000000080ae07 in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3) at /home/elaw/php-5.6.8RC1/Zend/zend.c:1341
#11 0x00000000007763a9 in php_execute_script (primary_file=0x7fffffffdfc0) at /home/elaw/php-5.6.8RC1/main/main.c:2597
#12 0x00000000008bcaee in do_cli (argc=0x2, argv=0xf97f00) at /home/elaw/php-5.6.8RC1/sapi/cli/php_cli.c:994
#13 0x00000000008bdbfb in main (argc=0x2, argv=0xf97f00) at /home/elaw/php-5.6.8RC1/sapi/cli/php_cli.c:1378
#14 0x00007ffff624eb45 in __libc_start_main (main=0x8bd55b <main>, argc=0x2, argv=0x7fffffffe348, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
    stack_end=0x7fffffffe338) at libc-start.c:287
#15 0x0000000000421719 in _start ()


Stopped reason: SIGSEGV
0x00000000deadbeef in ?? ()
gdb-peda$ p $rip
$1 = (void (*)()) 0xdeadbeef

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-04-14 07:21 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2015-04-14 07:29 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f59b67ae50064560d7bfcdb0d6a8ab284179053c
Log: Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode)
 [2015-04-14 07:29 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2015-04-14 08:31 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f59b67ae50064560d7bfcdb0d6a8ab284179053c
Log: Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode)
 [2015-04-15 08:43 UTC] jpauli@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=945b9ffee666e147231a1f37da69eb8d05e3193c
Log: Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode)
 [2015-04-17 20:55 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2015-3329
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Mon Jul 24 00:01:33 2017 UTC