php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73032 mcrypt_create_iv write out-of-bounds
Submitted: 2016-09-06 15:57 UTC Modified: 2016-12-14 18:03 UTC
From: fernando at null-life dot com Assigned: leigh (profile)
Status: Closed Package: mcrypt related
PHP Version: 7.0.10 OS: Windows
Private report: No CVE-ID: None
 [2016-09-06 15:57 UTC] fernando at null-life dot com
Description:
------------
While generating IVs mcrypt extension fails to verify if the iv was allocated and then tries to write 


https://github.com/php/php-src/blob/master/ext/mcrypt/mcrypt.c#L1373

	iv = ecalloc(size + 1, 1);

	if (source == RANDOM || source == URANDOM) {
#if PHP_WIN32
		/* random/urandom equivalent on Windows */
		BYTE *iv_b = (BYTE *) iv;
		if (php_win32_get_random_bytes(iv_b, (size_t) size) == FAILURE){
			efree(iv);
			php_error_docref(NULL, E_WARNING, "Could not gather sufficient random data");
			RETURN_FALSE;
		}
		n = (int)size;
#else
 ...
#endif
	} else {
		n = (int)size;
		while (size) {
---->			iv[--size] = (char) (255.0 * php_rand() / RAND_MAX);
		}




Test script:
---------------
<?php

error_reporting(E_ALL);
$v1=(0xffffffff / 4);
mcrypt_create_iv($v1,0xFF);

Expected result:
----------------
No crash

Actual result:
--------------
(347c.3ad4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
php7!zif_mcrypt_create_iv+0x9a:
7787f8aa 880c07          mov     byte ptr [edi+eax],cl      ds:002b:3ffffffe=??
Processing initial command 'r;!exploitable -v'
0:000:x86> r;!exploitable -v
eax=3ffffffe ebx=3fffffff ecx=000000f8 edx=00000000 esi=7787f810 edi=00000000
eip=7787f8aa esp=06f8e528 ebp=0a6200e0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
php7!zif_mcrypt_create_iv+0x9a:
7787f8aa 880c07          mov     byte ptr [edi+eax],cl      ds:002b:3ffffffe=??

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\SysWOW64\KERNEL32.DLL - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll - 
Exception Faulting Address: 0x3ffffffe
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:7787f8aa mov byte ptr [edi+eax],cl

Exception Hash (Major/Minor): 0x3a848ec3.0xd95bfbf6

 Hash Usage : Stack Trace:
Major+Minor : php7!zif_mcrypt_create_iv+0x9a
Major+Minor : php7!execute_ex+0xfb
Major+Minor : php7!zend_execute+0x124
Major+Minor : php7!zend_execute_scripts+0xe7
Major+Minor : php7!php_execute_script+0x372
Minor       : php!do_cli+0x3d3
Minor       : php!main+0x2cb
Minor       : php!__scrt_common_main_seh+0xf9
Minor       : KERNEL32!BaseThreadInitThunk+0x24
Excluded    : ntdll_77600000!RtlInitializeExceptionChain+0x8f
Excluded    : ntdll_77600000!RtlInitializeExceptionChain+0x5a
Instruction Address: 0x000000007787f8aa
Source File: c:\php-sdk\php70dev\vc14\x86\php-7.0.10\ext\mcrypt\mcrypt.c
Source Line: 1416

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at php7!zif_mcrypt_create_iv+0x000000000000009a (Hash=0x3a848ec3.0xd95bfbf6)

User mode write access violations that are not near NULL are exploitable.
0:000:x86> k
ChildEBP RetAddr  
06f8e534 777fdacb php7!zif_mcrypt_create_iv+0x9a [c:\php-sdk\php70dev\vc14\x86\php-7.0.10\ext\mcrypt\mcrypt.c @ 1416]
06f8e564 77816b64 php7!execute_ex+0xfb [c:\php-sdk\php70dev\vc14\x86\php-7.0.10\zend\zend_vm_execute.h @ 417]
06f8e590 778169c7 php7!zend_execute+0x124 [c:\php-sdk\php70dev\vc14\x86\php-7.0.10\zend\zend_vm_execute.h @ 459]
06f8e5e0 77816862 php7!zend_execute_scripts+0xe7 [c:\php-sdk\php70dev\vc14\x86\php-7.0.10\zend\zend.c @ 1427]
06f8f840 00f71833 php7!php_execute_script+0x372 [c:\php-sdk\php70dev\vc14\x86\php-7.0.10\main\main.c @ 2494]
06f8faf4 00f7135b php!do_cli+0x3d3 [c:\php-sdk\php70dev\vc14\x86\php-7.0.10\sapi\cli\php_cli.c @ 975]
06f8fb88 00f7229b php!main+0x2cb [c:\php-sdk\php70dev\vc14\x86\php-7.0.10\sapi\cli\php_cli.c @ 1344]
06f8fbd0 77177c04 php!__scrt_common_main_seh+0xf9 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
WARNING: Stack unwind information not available. Following frames may be wrong.
06f8fbe4 7765ab8f KERNEL32!BaseThreadInitThunk+0x24
06f8fc2c 7765ab5a ntdll_77600000!RtlInitializeExceptionChain+0x8f
06f8fc3c 00000000 ntdll_77600000!RtlInitializeExceptionChain+0x5a


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-06 16:36 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-09-07 12:20 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2016-09-07 12:20 UTC] cmb@php.net
Did you run the test script with a custom memory manager (i.e. not
with ZendMM)? ZendMM is supposed to bail out, if the memory can't
be allocated (and did so in my tests), so line 1416 won't ever be
reached. Therefore the NULL check for the ecalloc() on line 1373
is deliberately omitted, see bug #72828.
 [2016-09-07 13:08 UTC] fernando at null-life dot com
Sorry, forgot to add that this test was done with USE_ZEND_ALLOC=0
 [2016-09-07 15:22 UTC] cmb@php.net
-Status: Feedback +Status: Open
 [2016-09-07 23:03 UTC] cmb@php.net
-Status: Assigned +Status: Analyzed -Assigned To: cmb +Assigned To:
 [2016-09-07 23:03 UTC] cmb@php.net
I've submitted PR 2120.
 [2016-12-14 18:03 UTC] leigh@php.net
-Status: Analyzed +Status: Closed -Assigned To: +Assigned To: leigh
 [2016-12-14 18:03 UTC] leigh@php.net
Closing as PR is merged
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Feb 18 01:01:26 2020 UTC