php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #69453 Memory Corruption in phar_parse_tarfile when entry filename starts with null
Submitted: 2015-04-14 22:15 UTC Modified: 2015-05-19 05:33 UTC
From: emmanuel dot law at gmail dot com Assigned: laruence
Status: Closed Package: PHAR related
PHP Version: 5.6.8 OS: *
Private report: No CVE-ID: 2015-4021
 [2015-04-14 22:15 UTC] emmanuel dot law at gmail dot com
Description:
------------
This is a single byte memory corruption vulnerability. It is triggered when a tar entry->filename starts with a null byte.

At tar.c:430 entry.filename_len will be set to zero.
if (hdr->name[i] == '\0') {
break;
}
entry.filename_len = i;



This will result in an underflow in the array index at tar.437 :
if (entry.filename[entry.filename_len - 1] == '/') {
entry.filename[entry.filename_len - 1] = '\0';
entry.filename_len--;
}


Since entry.filename is pointing to a heap chunk (zend_mm_block), on a x86 machine, it has the potential to corrupt the heap chunk metadata.

on x64 machine, it has the potential to corrupt 1 byte at the offset entry.filename+0xFFFFFFFF





Test script:
---------------
POC here:
https://www.dropbox.com/s/dg8uit7533e8q8l/POC_1byte_corruption.zip?dl=0

$ ./php POC_FileName_Nullbyte_crash.php

Segmentation fault

Actual result:
--------------


gdb-peda$ frame
#0  phar_parse_tarfile (fp=0x7ffff7fbdfe0, fname=0x7ffff7fbeb20 "/home/elaw/php-5.6.7/sapi/cli/PHAR_TAR_GZ_FUZZING/WIP_POC__null_byte_filename.tar.phar", fname_len=0x56,
    alias=0x0, alias_len=0x0, pphar=0x7fffffffa760, is_data=0x0, compression=0x0, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/tar.c:437
437                             if (entry.filename[entry.filename_len - 1] == '/') {
gdb-peda$ p entry.filename_len
$2 = 0x0
gdb-peda$ p entry.filename_len -1
$3 = 0xffffffff   <<< integer underflow


gdb-peda$ bt
#0  phar_parse_tarfile (fp=0x7ffff7fbdfe0, fname=0x7ffff7fbeb20 "/home/elaw/php-5.6.7/sapi/cli/PHAR_TAR_GZ_FUZZING/WIP_POC__null_byte_filename.tar.phar", fname_len=0x56,
    alias=0x0, alias_len=0x0, pphar=0x7fffffffa760, is_data=0x0, compression=0x0, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/tar.c:437
#1  0x00000000006339d2 in phar_open_from_fp (fp=0x7ffff7fbdfe0, fname=0x7ffff7fbeb20 "/home/elaw/php-5.6.7/sapi/cli/PHAR_TAR_GZ_FUZZING/WIP_POC__null_byte_filename.tar.phar",
    fname_len=0x56, alias=0x0, alias_len=0x0, options=0x8, pphar=0x7fffffffa760, is_data=0x0, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/phar.c:1709
#2  0x00000000006326f4 in phar_create_or_parse_filename (fname=0x7ffff7fbeb20 "/home/elaw/php-5.6.7/sapi/cli/PHAR_TAR_GZ_FUZZING/WIP_POC__null_byte_filename.tar.phar",
    fname_len=0x56, alias=0x0, alias_len=0x0, is_data=0x0, options=0x8, pphar=0x7fffffffa760, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/phar.c:1346
#3  0x0000000000612018 in phar_open_or_create_tar (fname=0x7ffff7fbe688 "WIP_POC__null_byte_filename.tar.phar", fname_len=0x24, alias=0x0, alias_len=0x0, is_data=0x0, options=0x8,
    pphar=0x7fffffffa878, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/tar.c:130
#4  0x00000000006325d3 in phar_open_or_create_filename (fname=0x7ffff7fbe688 "WIP_POC__null_byte_filename.tar.phar", fname_len=0x24, alias=0x0, alias_len=0x0, is_data=0x0,
    options=0x8, pphar=0x7fffffffa878, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/phar.c:1312
#5  0x000000000063e438 in zim_Phar___construct (ht=0x2, return_value=0x7ffff7fbc350, return_value_ptr=0x7ffff7f854d0, this_ptr=0x7ffff7fbc440, return_value_used=0x0)
    at /home/elaw/php-5.6.8RC1/ext/phar/phar_object.c:1189

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-04-29 11:00 UTC] emmanuel dot law at gmail dot com
-PHP Version: 5.6.8RC1 +PHP Version: 5.6.8
 [2015-04-29 11:00 UTC] emmanuel dot law at gmail dot com
Hi,
any update/verification on this? The latest version of PHP is still affected.
 [2015-05-12 19:40 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c27f012b7a447e59d4a704688971cbfa7dddaa74
Log: Fix bug #69453 - don't try to cut empty string
 [2015-05-12 19:40 UTC] stas@php.net
-Status: Open +Status: Closed
 [2015-05-12 22:58 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c27f012b7a447e59d4a704688971cbfa7dddaa74
Log: Fix bug #69453 - don't try to cut empty string
 [2015-05-13 10:53 UTC] jpauli@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2c1e49075ba48d93439a9e79eae43d9f8469b832
Log: Fix bug #69453 - don't try to cut empty string
 [2015-05-19 05:33 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence -CVE-ID: +CVE-ID: 2015-4021
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Wed Jul 26 04:01:41 2017 UTC