MOPB-35-2007:PHP 4 zip_entry_read() Integer Overflow Vulnerability

2013 年 6 月 29 日5130

Summary

The zip_read_entry() function that is used to read the content of a file stored inside a .ZIP archive is vulnerable to an integer overflow in memory allocation that leads to an exploitable bufferoverflow.

Affected versions

Affected are PHP 4 < 4.4.5

Detailed information

The zip_read_entry() function does not perform any check on the supplied length parameter. Therefore an integer overflow in memory allocation can happen when it adds one byte for a terminating ASCIIZ character.






    buf = emalloc(len + 1);




    ret = zzip_read(entry->fp, buf, len);




    buf[ret] = 0;

When a length of 0xffffffff is supplied the allocated memory block will be of size 0 while up to 4 GB of data is read from the ZIP archive into this memory block. This will overwrite everything behind the allocated block and can lead to the execution of arbitrary code.

Proof of concept, exploit or instructions to reproduce

The attached exploit consists of a small PHP POC and the supplied ZIP archive that contains the data that will overflow the buffer. Because this bug is just a standard heap overflow the POC only shows the crash inside the unlink macro.






$ gdb ./php




(...)




(gdb) run MOPB-35-2007.php




Starting program: /../php-4.4.4/sapi/cli/php MOPB-35-2007.php









Program received signal SIGSEGV, Segmentation fault.




0x0812c127 in _efree (ptr=0x81d76ec) at /../php-4.4.4/Zend/zend_alloc.c:274




274             REMOVE_POINTER_FROM_LIST(p);




(gdb) x/5i $eip




0x812c127 <_efree+71>:  mov    %eax,(%edx)




0x812c129 <_efree+73>:  mov    (%ebx),%edx




0x812c12b <_efree+75>:  test   %edx,%edx




0x812c12d <_efree+77>:  je     0x812c135 <_efree+85>




0x812c12f <_efree+79>:  mov    0x4(%ebx),%eax




(gdb) i r




eax            0x44444444       1145324612




ecx            0x8c8c8c9        147376329




edx            0x45454545       1162167621




ebx            0x81d76e0        136148704




esp            0xbff3ae20       0xbff3ae20




ebp            0xbff3ae28       0xbff3ae28




esi            0x81d265c        136128092




edi            0x81d71b4        136147380




eip            0x812c127        0x812c127 <_efree+71>




eflags         0x10216  66070




cs             0x73     115




ss             0x7b     123




ds             0x7b     123




es             0x7b     123




fs             0x0      0




gs             0x33     51




(gdb)

Notes

Nothing special, just a normal heap overflow.

0 0

相关文章